When analyzing packets, its important to get it right. I spend a lot of time explaining to people that the TCP handshake is critical to capture since some information you might need is only seen there.
Items that would be an example of this are; TCP MSS, SACK Permitted and TCP Scaling Option values. The TCP window scaling option is used to increase the TCP receive window size past its maximum value of 65,535 bytes.
If you’ve ever analyzed a trace where the TCP Scaling option was used but you did not have the TCP 3 way handshake in that trace, you will see weird TCP Window Size values.
With Wireshark 2.0, you can input the scaling option or factor making the TCP Window size accurate.
In this video I show you a trace file with a scaling option, then I remove the scaling option to show you what the TCP window size now looks like, finally I show you how to use the Protocol Preferences option to input the scaling value.