This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I have been reading the questiins and answer's tothis question but none of them seem to help me. I was under the impression that I could follow a relative sequence number say 551 all the way through and get a complete conversation. Am I mistaken. Thanks steve.

asked 11 Nov '10, 09:38

jfkseb413's gravatar image

jfkseb413
1111
accept rate: 0%

Thanks folks......I did what you said and got both ends of the conversation....

(11 Nov '10, 10:37) jfkseb413

Relative sequence number is there to make it easy for people to follow the conversation. It's easier on the eyes to track 1,000 to 3000 (relative seq#) rather than 3223..65983453 to 3223...65985453 (absolute seq numbers). So whether you use relative seq# or not has no bearing on the analysis.

Also, TCP involves two conversations. One from the sender and one from the receiver. So it's important to keep track of sequence numbers from both sides.

Finally, you can right click on the packet and use "follow tcp stream" to isolate your conversation from other traffic.

permanent link

answered 11 Nov '10, 09:51

hansangb's gravatar image

hansangb
7912619
accept rate: 12%

I agree, even though sometimes I revert to absolute seq numbers: it is easy to confuse one self with the two sequence number rows of both communication parties (especially if they are still pretty low). Absolute numbers are often completely different with no way to mistake one for the other. The other reason is if I'm tracking down packets that are from a multi point capture and I need to find the same packets in both (or even three to five different) traces.

(12 Nov '10, 01:32) Jasper ♦♦

Ok... here's the scoop on using relative sequence numbers.

Let's say you have two Wireshark systems - #1 is capturing traffic at a client and #2 is capturing traffic at a server.

If you start both analyzers and then launch a web browsing session at the client (to the server), both Wireshark systems (using relative sequence numbers) will show the same starting sequence number (0) at the beginning of the connection. In this case, your sequence numbers should match up on both analyzers.

If you see a packet from the client to the server that has sequence number 4532 for example, you should see a packet with that same sequence number at the server. If, for some reason, you missed part of the connection process at Wireshark #2 though - the relative numbers will be off.

What is your goal here? As Hanseng said, if you right click on one of the packets in that connection and select Follow X stream, Wireshark will reassemble the conversation and automatically filter on that conversation only.

permanent link

answered 11 Nov '10, 09:59

lchappell's gravatar image

lchappell ♦
1.2k2730
accept rate: 8%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×39
×5

question asked: 11 Nov '10, 09:38

question was seen: 20,400 times

last updated: 12 Nov '10, 01:32

p​o​w​e​r​e​d by O​S​Q​A