How to understand about window scale option?

Window size value : This is the value to receive from other side. (Window size is advertising the RCV buffer space available for the device, how much memory is allocated for the session)

 

The maximum field for TCP window size = 65535 or 0xFFFF because it is a 2 byte field.  There is a method to make it bigger by negotiating the window using the scaling option. 

 

I can see in the SYN packet option – Window Scale = 7.  This tells the server it wants to use this option and multiply the window size by 128. And Server agree in the SYN+ACK with the same option = 7.  This tells the client it also will be using the scaling option.

Window scale number 7 means that 2^7 = 128. This number is never changed until fininshing converstation.

 

 

After this negotiation, I can look at packet 3 in the TCP section at the Window you will see it shows (211 x 128 = 27008) 

From Server, I can see the window scale option is enabled like below

 

And middle of the packets, I can see the widnow size more than 65535. 76288 is the sample to use scale option. 

 

This is normal case to show how the scale option is used.

 

 

[Without Window scaling option Case]

 

This is the sample case to show what the window scale dose not work. In the first syn packet, there is the option. However the syn-ack paket does not have this option like below.

This below is syn-ack packet. There is no window scale option.

So, the last ack packet decide to send packet without the window scale option.

In wireshark, -2 mean that there is no window scale option definition. Please note that -2 always means "no window scale option". If there is no packet syn, syn-ack and ack due to capturing middle of packets, the wireshark determind -2 even if the window size is more than 65535.