TCP “options” are set in the initial handshake (the initiating host will propose in the SYN packet, and the receiving host will reply with what it supports in the SYN/ACK packet). Note that each system sets its own window scale and MSS values (but these value must be set by both hosts in order to be used in a connection).
- Window Scale — Set the multiplier for the window size (see above) as as a power of two, such that a “Window scale” of 7 is a multiplier of 2⁷ = 128. Window scales can be up to 14, which allows (once multiplied with the maximum window size) up to 1 GB of data to be transmitted before an ACK is required. Typically set to 2 for webservers, or to 0 for systems that wish to allow the use of this option in a conversation but don’t support large buffers themselves.
- Maximum Segment Size (MSS) — The maximum data segment size that a system can receive. This is different than the window size, which is the amount of data that a system expects before it gets an ACK (it’s basically that system’s buffer for this connection).
- Selective Acknowledgement (SACK) — Allows for packets to be acknowledged as they are received, rather than at the end of a window. Using SACK allows for dropped packets to be retransmitted sooner, and prevents the retransmission of packets that were properly received after a dropped packet. However, using SACK requires that the transmitting host keep track of what packets were sent in memory, which means that it’s typically not set on resource-constrained systems (IoT, etc.).
- No-Op (NOP) — A “blank” value (01) used to pad out the options field, since header size must be a power of two bytes but (1) each option need to fall on a byte boundary and (2) we may not have enough options to fill out the space requested. How NOPs are used is highly implementation-dependent. NOPs can also be used by middle-boxes (firewalls, routers, etc.) to strip options.
If SACK is used, then acknowledge packet numbers are also placed in the options block.
Differences in how TCP options are responded to for incoming SYN packets or ordered for outgoing SYN/ACK packets are important for fingerprinting operating systems and TCP stacks.