This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

hi,

ive capture a http download with: tcpdump host x.x.x.x -c 100

wireshark shows me these sequence numbers for the first 5 packets:

0
0
1
1
1

but tcpdump shows:

1636902786
1161722083
1
1:192
1

tcpdump -vvr http-download.pcap | sed 's/1.2.3.4/myprivateip/g' | head -10

reading from file http-download.pcap, link-type EN10MB (Ethernet)
21:26:33.318368 IP (tos 0x0, ttl 64, id 64732, offset 0, flags [DF], proto TCP (6), length 60)
    myprivateip.32773 > zinc.canonical.com.http: Flags [S], cksum 0xa467 (incorrect -> 0x8522), seq 1636902786, win 14600, options [mss 1460,sackOK,TS val 14211934 ecr 0,nop,wscale 4], length 0
21:26:33.338102 IP (tos 0x20, ttl 48, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    zinc.canonical.com.http > myprivateip.32773: Flags [S.], cksum 0x7c95 (correct), seq 1161722083, ack 1636902787, win 5792, options [mss 1460,sackOK,TS val 2713111304 ecr 14211934,nop,wscale 7], length 0
21:26:33.338119 IP (tos 0x0, ttl 64, id 64733, offset 0, flags [DF], proto TCP (6), length 52)
    myprivateip.32773 > zinc.canonical.com.http: Flags [.], cksum 0xa45f (incorrect -> 0xbe6b), seq 1, ack 1, win 913, options [nop,nop,TS val 14211939 ecr 2713111304], length 0
21:26:33.338252 IP (tos 0x0, ttl 64, id 64734, offset 0, flags [DF], proto TCP (6), length 243)
    myprivateip.32773 > zinc.canonical.com.http: Flags [P.], cksum 0xa51e (incorrect -> 0xdcad), seq 1:192, ack 1, win 913, options [nop,nop,TS val 14211939 ecr 2713111304], length 191
21:26:33.358015 IP (tos 0x20, ttl 48, id 46062, offset 0, flags [DF], proto TCP (6), length 52)
    zinc.canonical.com.http > myprivateip.32773: Flags [.], cksum 0xc105 (correct), seq 1, ack 192, win 54, options [nop,nop,TS val 2713111306 ecr 14211939], length 0

whats with the difference?

offtopic, but you guys probably know it anyway: ive looked at python-scapy but have had some problems, are there other good python ways to read .pcap files?

asked 11 Oct '13, 06:31

newusergreek's gravatar image

newusergreek
11225
accept rate: 0%

edited 11 Oct '13, 07:03

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237


The difference is that Wireshark is set to display relative sequence numbers, which scales the sequence numbers of all conversation partners down to start at zero. If you disable relative sequence numbers in Wireshark (Edit -> Preferences -> Protocols -> TCP -> Relative Sequence Numbers) you'll see the same results as in TCPDump.

permanent link

answered 11 Oct '13, 10:43

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×7

question asked: 11 Oct '13, 06:31

question was seen: 2,982 times

last updated: 11 Oct '13, 10:43

p​o​w​e​r​e​d by O​S​Q​A