I opened a bug #1842 for this:
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1842, but here's the
bug description:
Build Information:
SVN 22858
--
The TCP window size, as displayed in the Info column for SYN-ACK
packets, is
incorrect if a TCP conversation filter is applied. This can easily be
seen
using the small 3 packet trace file I will attach. If you open the file
with
no filter applied, the correct unscaled window size of 5792 is reported;
however, you right-click and choose "Conversation Filter -> TCP", then
the
window size is incorrectly reported as 2965504, which means that the
scaling
factor of 9 (multiply by 512) is incorrectly being applied. As you
probably
already know, the scaling factor should never be applied to window sizes
for
SYN or SYN-ACK packets. If you didn't know that, then refer to the
last
paragraph of section 2.2 in RFC1323, available here:
http://www.ietf.org/rfc/rfc1323.txt
Actually, it seems that if any display filter is applied, then the
problem
occurs. And if the filter is cleared, the window size is still
incorrect
afterwards.
- Chris
-----------------------------------------
This email may contain confidential and privileged material for the
sole use of the intended recipient(s). Any review, use, retention,
distribution or disclosure by others is strictly prohibited. If you
are not the intended recipient (or authorized to receive for the
recipient), please contact the sender by reply email and delete all
copies of this message. Also, email is susceptible to data
corruption, interception, tampering, unauthorized amendment and
viruses. We only send and receive emails on the basis that we are
not liable for any such corruption, interception, tampering,
amendment or viruses or any consequence thereof.
