Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 5541] New: Custom Window Size Column Shows Two Values and

Date: Sat, 1 Jan 2011 20:28:00 -0800 (PST)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5541

           Summary: Custom Window Size Column Shows Two Values and Doesn't
                    Sort Properly
           Product: Wireshark
           Version: 1.5.x (Experimental)
          Platform: x86
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: Jim@xxxxxxxxxxxxxxxxx


Created an attachment (id=5689)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=5689)
TCP Packets with Scaled Window Size Values

Build Information:
Version 1.5.0-SVN-35322 (SVN Rev 35322 from /trunk)

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.16.6, with GLib 2.24.2, with WinPcap (version
unknown), with libz 1.2.3, without POSIX capabilities, without libpcre, with
SMI
0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS 2.8.5, with
Gcrypt 1.4.5, with MIT Kerberos, with GeoIP, with PortAudio V19-devel (built
Jan
 1 2011), with AirPcap.

Running on 32-bit Windows Vista Service Pack 2, build 6002, with WinPcap
version
4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 2.8.5, Gcrypt 1.4.5, without AirPcap.

Built using Microsoft Visual C++ 9.0 build 30729

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.
--
Wireshark 1.4.2 has a single TCP Window Size field in the Packet Details pane,
and it shows either: (1) The actual value in the window size field of the TCP
header, or (2) the scaled window size if Wireshark has seen the TCP handshake
and knows the window scale factor [noted by "(scaled)" in the display]. I have
added a custom Window Size column to my Packet List pane so that I can sort on
the Window Size and look for cases where the client's TCP receive buffer is
filling up and slowing or stopping the data transfer.

Wireshark 1.5.0-SVN-35322 has added a pseudo field that shows the scaled window
size. The "real" field shows the actual value from the window size field of the
TCP header, and the pseudo field shows the scaled window size.

Both window size values--unscaled and scaled--now appear in the custom Window
Size column, making it difficult to read, and it no longer sorts properly.

Right-clicking the "real" Window Size field, selecting Copy > Field Name, and
pasting into a text document shows a field name of tcp.window_size. Doing the
same with the new pseudo field shows the SAME field name: tcp.window_size.

In the attached trace file, packet 66 has a window size value of 107. This host
is using a window scale factor of 6 (multiply by 64), so the actual window size
is 6,848 bytes.

Packet 86 has a window size value of 28. This host is using a window scale
factor of 9 (multiply by 512), so the actual window size is 14,336 bytes.

When I sort by Window Size in ascending order, Wireshark 1.4.2 shows packet 66
above packet 86, but Wireshark 1.5.0-SVN-35322 shows the reverse--packet 86
above packet 66.

Shouldn't the two window size fields be identified by different field names so
that they can be filtered on or added to custom columns independently? This
would also correct the sorting issue.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.