This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Same Frame but Different TCP Header Values

0

Hi, I am using wireshark installed on a windows host with 2 nic. The first one is attached to the source L2 switch (where the Web Server is connected) and the other one is attached to the destination L2 switch (where the Client is connected). I'm trying to follow packets from source to destination in order to find out if any delay is present. The odd thing is that the a packet sniffed from the source L2 switch have a different sequence number and a different ack number if it is sniffed from the destination L2 switch. I am sure that I'm seeing the same packet by checking its size and the timestamp for a given timelapse.The protocol is SSL over TCP port 1981. It is a custom web service. Can anyone explain why this is happening? Thank you

asked 25 Feb '15, 08:34

badenia1's gravatar image

badenia1
11114
accept rate: 0%


One Answer:

1

There's one universal rule, and that is that a packet must have the same sequence and ack number, no matter WHERE you capture it. Sequence and ack number cannot change on the way. The only thing that could fool Wireshark into showing two different sequence/ack numbers is when you use relative numbers. So please verify that you are looking at absolute sequence and ack numbers (there's a setting for this in the TCP dissector preferences).

If the absolute sequence/ack nubers are different, it's NOT the same packet. It does not matter if size or timestamp may be seemingly correct if those two aren't the same. So please use absolute numbers and check your findings again.

answered 25 Feb '15, 15:34

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 26 Feb '15, 00:52

You are right man! Changing TCP dissector preferences made my data reliable, and the packets now have the same tcp header values across my whole LAN. Great answer! Thanks

(26 Feb '15, 00:47) badenia1

You're welcome :)

(26 Feb '15, 00:53) Jasper ♦♦