tcpdump mailing list archives
Re: tcp sequence and ack number with libpcap
From: Eloy Paris <peloy () chapus net>
Date: Thu, 19 Aug 2010 18:31:14 -0400
Hi Andrej,Several others have already mentioned it -- tcpdump is using relative sequence numbers to make it easier to read the output. Large sequence numbers are perfectly valid (after all, they are 32-bit unsigned numbers).
Use the -S argument to tcpdump and you'll see tcpdump report large sequence numbers as well, just as your application does.
Cheers, Eloy Paris.- netexpect.org On 08/19/2010 06:23 PM, Andrej van der Zee wrote:
Hi, Source port and dest number seem to be ok, so I guess this is not theproblem. Nevertheless, I tried the code below but it does not make a difference. Why do I get those weird seq and ack numbers? I am really stuck...Can you provide some examples of those "weird seq and ack numbers"?Thanks for your reply. With weird I meant different than obtained with "tcpdump -vv". There numbers are much too high: seq 101688001 ack 580300460 seq 103252140 ack 276497601 seq 101689793 ack 580300460 seq 101592513 ack 580300460 seq 102902956 ack 276497601 seq 102902700 ack 276497601 seq 101689281 ack 580300460 seq 101689025 ack 580300460 seq 102902444 ack 276497601 seq 101688769 ack 580300460 With "tcpdump -r<file> -n -vv tcp" I get: 17:53:35.347343 IP (tos 0x10, ttl 64, id 40919, offset 0, flags [DF], proto TCP (6), length 92) 193.34.150.174.22> 83.247.48.159.52238: Flags [P.], seq 949215706:949215758, ack 3908965070, win 80, length 52 17:53:35.347348 IP (tos 0x10, ttl 64, id 40920, offset 0, flags [DF], proto TCP (6), length 156) 193.34.150.174.22> 83.247.48.159.52238: Flags [P.], seq 52:168, ack 1, win 80, length 116 17:53:35.367017 IP (tos 0x0, ttl 122, id 8778, offset 0, flags [DF], proto TCP (6), length 40) 83.247.48.159.52238> 193.34.150.174.22: Flags [.], cksum 0xb0f5 (correct), seq 1, ack 52, win 16356, length 0 17:53:35.568407 IP (tos 0x0, ttl 122, id 8779, offset 0, flags [DF], proto TCP (6), length 40) 83.247.48.159.52238> 193.34.150.174.22: Flags [.], cksum 0xb09e (correct), seq 1, ack 168, win 16327, length 0 17:53:35.572654 IP (tos 0x0, ttl 122, id 8780, offset 0, flags [DF], proto TCP (6), length 76) 83.247.48.159.49808> 193.34.150.174.22: Flags [P.], cksum 0x035d (correct), seq 3237258086:3237258122, ack 1238688284, win 16347, length 36 17:53:35.572666 IP (tos 0x10, ttl 64, id 29749, offset 0, flags [DF], proto TCP (6), length 40) 193.34.150.174.22> 83.247.48.159.49808: Flags [.], cksum 0x7fed (correct), seq 1, ack 36, win 105, length 0 17:53:48.459350 IP (tos 0x0, ttl 122, id 8813, offset 0, flags [DF], proto TCP (6), length 76) 83.247.48.159.52238> 193.34.150.174.22: Flags [P.], cksum 0x795e (correct), seq 1:37, ack 168, win 16327, length 36 17:53:48.527273 IP (tos 0x10, ttl 64, id 40921, offset 0, flags [DF], proto TCP (6), length 40) 193.34.150.174.22> 83.247.48.159.52238: Flags [.], cksum 0xeff1 (correct), seq 168, ack 37, win 80, length 0 17:53:50.581688 IP (tos 0x0, ttl 122, id 8816, offset 0, flags [DF], proto TCP (6), length 76) 83.247.48.159.49808> 193.34.150.174.22: Flags [P.], cksum 0x7fa1 (correct), seq 36:72, ack 1, win 16347, length 36 17:53:50.581701 IP (tos 0x10, ttl 64, id 29750, offset 0, flags [DF], proto TCP (6), length 40) 193.34.150.174.22> 83.247.48.159.49808: Flags [.], cksum 0x7fc9 (correct), seq 1, ack 72, win 105, length 0 - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Mark Bednarczyk (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Gert Doering (Aug 19)
- Re: tcp sequence and ack number with libpcap Gianluca Varenni (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
- Re: tcp sequence and ack number with libpcap Gianluca Varenni (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Rick Jones (Aug 19)
- Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Mark Bednarczyk (Aug 19)
- Re: tcp sequence and ack number with libpcap ronnie sahlberg (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap ronnie sahlberg (Aug 19)
- Re: tcp sequence and ack number with libpcap ronnie sahlberg (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Gert Doering (Aug 19)