wirehark和tcpdump -r:奇怪的tcp窗口大小 [英] wireshark and tcpdump -r: strange tcp window sizes
问题描述
我正在用tcpdump捕获HTTP流量,并对TCP缓慢启动以及窗口大小如何增加感兴趣:
I'm capturing http traffic with tcpdump and am interested in TCP slow start and how window sizes increase:
$ sudo tcpdump -i eth1 -w wget++.tcpdump tcp and port 80
当我使用Wireshark查看转储文件时,窗口大小的进度看起来很正常,即5840、5888、5888、8756、11264等...
When I view the dump file with Wireshark the progression of window sizes looks normal, i.e. 5840, 5888, 5888, 8576, 11264, etc...
但是当我通过...查看转储文件时
But when I view the dump file via
$ tcpdump -r wget++.tcpdump -tnN | less
我得到的窗口大小似乎没有意义(为简便起见,省略了IP地址):
I get what seem to be nonsensical windows sizes ( IP addresses omitted for brevity ):
: S 1069713761:1069713761(0) win 5840 <mss 1460,sackOK,timestamp 24220583 0,nop,wscale 7>
: S 1198053215:1198053215(0) ack 1069713762 win 5672 <mss 1430,sackOK,timestamp 2485833728 24220583,nop,wscale 6>
: . ack 1 win 46 <nop,nop,timestamp 24220604 2485833728>
: . 1:1419(1418) ack 1 win 46 <nop,nop,timestamp 24220604 2485833728>
: P 1419:2002(583) ack 1 win 46 <nop,nop,timestamp 24220604 2485833728>
: . ack 1419 win 133 <nop,nop,timestamp 2485833824 24220604>
: . ack 2002 win 178 <nop,nop,timestamp 2485833830 24220604>
有没有办法在命令行上获得普通/绝对窗口大小?
Is there a way to get normal / absolute window sizes on the command line?
推荐答案
窗口大小正确-它们只是未缩放.
The window sizes are correct - they're just unscaled.
连接启动器已将wscale(窗口缩放因子)设置为7,因此必须将其后续的win值乘以128,以获取以字节为单位的窗口大小.因此,win 46表示5888字节的窗口.
The connection initiator has set a wscale (window scaling factor) of 7, so its subsequent win values must be multiplied by 128 to get the window size in bytes. Thus the win 46 indicates a window of 5888 bytes.
连接接收者将wscale设置为6,因此其win值必须乘以64.因此,win 133表示一个8512字节的窗口,而win 178表示11392字节.
The connection recipient has set a wscale of 6, so its win values must be multiplied by 64. Thus win 133 indicates a window of 8512 bytes, and win 178 indicates 11392 bytes.
这篇关于wirehark和tcpdump -r:奇怪的tcp窗口大小的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
