This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Syn packet and Sequence Number

0

I'm looking at a pcap, with the 3-way handshake already done. After an initial file is sent, the sequence number is 4887. The client sends another TCP packet with the SYN flag, which prompts another 3-way handshake. This resets the sequence numbers back to 1, as seen in the packet capture file. However, immediately after when the client asks for another file, the sequence number goes back to what it started as before, plus a few more, to 5321.

Why does the sequence number shoot back up to 5321, when it was reset back to 1?

asked 20 Aug '14, 15:00

FireShark's gravatar image

FireShark
6113
accept rate: 0%


One Answer:

2

You need to isolate TCP connections to track sequence numbers. You cannot compare them across multiple connections. Use the pop up menu to select conversation filters -> TCP on a packet to isolate the connection.

answered 20 Aug '14, 15:03

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks! I didn't notice that although it was the same IP address, a different connection was being made on a new port.

(20 Aug '14, 16:10) FireShark
1

One minor comment on this - Wireshark by default uses relative sequence numbers starting from 0 for each TCP session, for easy human readability and math. The reality is that the sequence number in the packet is probably much greater than 0 in both cases, so it's not "dropping back" to 0, but rather analyzing that it's a second TCP session with a new set of sequence numbers which Wireshark will assign new relative numbers for, starting at 0.

(20 Aug '14, 19:23) Quadratic