This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Relative Sequence Number

0

I have been reading the questiins and answer's tothis question but none of them seem to help me. I was under the impression that I could follow a relative sequence number say 551 all the way through and get a complete conversation. Am I mistaken. Thanks steve.

asked 11 Nov '10, 09:38

jfkseb413's gravatar image

jfkseb413
1111
accept rate: 0%

Thanks folks......I did what you said and got both ends of the conversation....

(11 Nov '10, 10:37) jfkseb413

2 Answers:

2

Relative sequence number is there to make it easy for people to follow the conversation. It's easier on the eyes to track 1,000 to 3000 (relative seq#) rather than 3223..65983453 to 3223...65985453 (absolute seq numbers). So whether you use relative seq# or not has no bearing on the analysis.

Also, TCP involves two conversations. One from the sender and one from the receiver. So it's important to keep track of sequence numbers from both sides.

Finally, you can right click on the packet and use "follow tcp stream" to isolate your conversation from other traffic.

answered 11 Nov '10, 09:51

hansangb's gravatar image

hansangb
7912619
accept rate: 12%

I agree, even though sometimes I revert to absolute seq numbers: it is easy to confuse one self with the two sequence number rows of both communication parties (especially if they are still pretty low). Absolute numbers are often completely different with no way to mistake one for the other. The other reason is if I'm tracking down packets that are from a multi point capture and I need to find the same packets in both (or even three to five different) traces.

(12 Nov '10, 01:32) Jasper ♦♦

0

Ok... here's the scoop on using relative sequence numbers.

Let's say you have two Wireshark systems - #1 is capturing traffic at a client and #2 is capturing traffic at a server.

If you start both analyzers and then launch a web browsing session at the client (to the server), both Wireshark systems (using relative sequence numbers) will show the same starting sequence number (0) at the beginning of the connection. In this case, your sequence numbers should match up on both analyzers.

If you see a packet from the client to the server that has sequence number 4532 for example, you should see a packet with that same sequence number at the server. If, for some reason, you missed part of the connection process at Wireshark #2 though - the relative numbers will be off.

What is your goal here? As Hanseng said, if you right click on one of the packets in that connection and select Follow X stream, Wireshark will reassemble the conversation and automatically filter on that conversation only.

answered 11 Nov '10, 09:59

lchappell's gravatar image

lchappell ♦
1.2k2730
accept rate: 8%