This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCPDump ISN/SEQ during 3way handshake

0

Im trying to compare some seq numbers from a wireshark output with the same capture being read in by tcpdump. Quick question, in terms of the numbers (i.e S 181839597:181839597) within the inital 3 way handshake, what do this relate to. Also is anyone able to explain the difference in relative and absoulte seq numbers and how they are difference in wireshark compared to tcpdump, as the seq number I obtained from wireshark Im unable to find when issuing a tcpdump -r <cap.file>

[[email protected] tmp]# tcpdump -ni any port 8000
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
15:40:41.055988 IP 80.1.1.1.30119 > 10.1.1.1.irdmi: S 181839597:181839597(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,eol>
15:40:41.064798 IP 10.1.1.1.irdmi > 80.1.1.1.30119: S 3969924799:3969924799(0) ack 181839598 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 4>
15:40:41.066814 IP 80.1.1.1.30119 > 10.1.1.1.irdmi: . ack 1 win 260

Update : Also the seq numbers then throughout the rest of the capture appear to be relative.

15:40:41.363895 IP 80.1.1.1.30123 > 10.1.1.1.irdmi: S 2325112793:2325112793(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,nop,eol>
15:40:41.363955 IP 10.1.1.1.irdmi > 80.1.1.1.30123: S 592517166:592517166(0) ack 2325112794 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 4>
15:40:41.375282 IP 80.1.1.1.30123 > 10.1.1.1.irdmi: . ack 1 win 260
15:40:41.375471 IP 80.1.1.1.30123 > 10.1.1.1.irdmi: P 1:823(822) ack 1 win 260
15:40:41.375485 IP 10.1.1.1.irdmi > 80.1.1.1.30123: . ack 823 win 468
15:40:41.440757 IP 10.1.1.1.irdmi > 80.1.1.1.30123: P 1:18(17) ack 823 win 468
15:40:41.441019 IP 10.1.1.1.irdmi > 80.1.1.1.30123: . 18:1398(1380) ack 823 win 468
15:40:41.441403 IP 10.1.1.1.irdmi > 80.1.1.1.30123: . 1398:2778(1380) ack 823 win 468
15:40:41.441411 IP 10.1.1.1.irdmi > 80.1.1.1.30123: FP 2778:4124(1346) ack 823 win 468
15:40:41.443848 IP 80.1.1.1.30123 > 10.1.1.1.irdmi: . ack 1398 win 260
15:40:41.445975 IP 80.1.1.1.30123 > 10.1.1.1.irdmi: . ack 4125 win 260
15:40:41.484158 IP 80.1.1.1.30123 > 10.1.1.1.irdmi: F 823:823(0) ack 4125 win 260
15:40:41.484195 IP 10.1.1.1.irdmi > 80.1.1.1.30123: . ack 824 win 468

Thanks,

asked 08 May '13, 07:46

bart80's gravatar image

bart80
11121316
accept rate: 0%

edited 08 May '13, 08:00

Hi,

I'm curious about the number of (Nop)'s in a row on this output can some one explain to me is this normal? I thought there should be no more than 4 in a row?

(01 Sep '14, 09:36) Ciag

One Answer:

0

In your output, 181839597 is the absolute sequence number (the actual value of the seq field in the TCP header).

In wireshark, sequence numbers are by default relative (which means, the seq of the initial SYN packet is set to 0 and all other sequence numbers are calculated from there).

To be able to compare the sequence numbers, you can make wireshark show the absolute sequence numbers by going to the TCP protocol preferences and disable "Relative Sequence Numbers"

answered 08 May '13, 07:53

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Question updated....

(08 May '13, 08:23) bart80