Wireshark tcp.window_size_scalefactor

Three way handshake_presidents

A typical TCP conversation starts with a TCP three-way handshake (3WHS). This involves the exchange of SYN, SYN/ACK and ACK packets between the nodes.

In the Wireshark capture I often wish to follow a TCP conversation from the very first packet to the last. Wireshark 1.6.0 and above has a display filter which will display all the TCP sessions what have their 3WHS in the tracefile.


The values and their meaning of window_size_scalefactor are as follows:
-1 : No three-way handshake has observed and unsure whether the window scaling is used or not.
-2 : No window scaling is negotiated between the nodes.
0 or more : Window scaling is negotiated and this is the announced window scaling factor for this flow.

tcp.window_size_scalefactor!=-1 would list all the conversations for which 3WHS was observed. Note that this display filter won’t display the SYN packet or the SYN/ACK. It displays all the packets following the 3WHS. To display the conversations along with the SYN,SYN/ACK you can do either of these two things:

  1. Right click on the packet of interest and choose the Follow TCP Stream option from the context menu.
  2. Logical OR the display filter with tcp.flags.syn==1.
tcp.window_size_scalefactor!=-1 or tcp.flags.syn==1


Source: https://ask.wireshark.org/questions/230/displaying-all-tcp-connections-with-syn-packets

About Deepak Devanand

Seeker of knowledge
This entry was posted in Uncategorized, Wireshark and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s