tcpdump mailing list archives

Re: tcp sequence and ack number with libpcap

From: Eloy Paris <peloy () chapus net>
Date: Thu, 19 Aug 2010 18:50:48 -0400

On 08/19/2010 06:44 PM, Andrej van der Zee wrote:

Hi,

    Hi Andrej,

    Several others have already mentioned it -- tcpdump is using
    relative sequence numbers to make it easier to read the output.
    Large sequence numbers are perfectly valid (after all, they are
    32-bit unsigned numbers).

    Use the -S argument to tcpdump and you'll see tcpdump report large
    sequence numbers as well, just as your application does.


The -S options does not give me the same results either. I did another
run with -S and printed the timestamps and length of the packets to
absolutely make sure that we are comparing the same thing. Still big
differences. This is killing me.

The data below seems to correspond to different TCP sessions. To makesure you are looking at the same session, Gianluca's suggestion seems tobe the best -- capture some traffic and save it to a savefile (PCAP)file, and then run the PCAP file through but tcpdump with -S and yourown application.


Cheers,

Eloy Paris.-
netexpect.org


17:53:35.347343 seq 113135041 ack 580300371 len 92
17:53:35.347348 seq 113118401 ack 580300371 len 156
17:53:35.367017 seq 100802387 ack 4147158977 len 40
17:53:35.568407 seq 100802131 ack 4147158977 len 40
17:53:35.572654 seq 100792659 ack 4147158977 len 76
17:53:35.572666 seq 116007873 ack 580300371 len 40
17:53:48.459350 seq 100784211 ack 4147158977 len 76
17:53:48.527273 seq 113147841 ack 580300371 len 40
17:53:50.581688 seq 100783443 ack 4147158977 len 76


andrej@ubuntu:~/caps$ tcpdump -r client_00001_20100818115534.cap -S -n
-vv tcp  | head -n 20
reading from file client_00001_20100818115534.cap, link-type EN10MB
(Ethernet)
17:53:35.347343 IP (tos 0x10, ttl 64, id 40919, offset 0, flags [DF],
proto TCP (6), length 92)
     193.34.150.174.22 > 83.247.48.159.52238: Flags [P.], seq
949215706:949215758, ack 3908965070, win 80, length 52
17:53:35.347348 IP (tos 0x10, ttl 64, id 40920, offset 0, flags [DF],
proto TCP (6), length 156)
     193.34.150.174.22 > 83.247.48.159.52238: Flags [P.], seq
949215758:949215874, ack 3908965070, win 80, length 116
17:53:35.367017 IP (tos 0x0, ttl 122, id 8778, offset 0, flags [DF],
proto TCP (6), length 40)
     83.247.48.159.52238 > 193.34.150.174.22: Flags [.], cksum 0xb0f5
(correct), seq 3908965070, ack 949215758, win 16356, length 0
17:53:35.568407 IP (tos 0x0, ttl 122, id 8779, offset 0, flags [DF],
proto TCP (6), length 40)
     83.247.48.159.52238 > 193.34.150.174.22: Flags [.], cksum 0xb09e
(correct), seq 3908965070, ack 949215874, win 16327, length 0
17:53:35.572654 IP (tos 0x0, ttl 122, id 8780, offset 0, flags [DF],
proto TCP (6), length 76)
     83.247.48.159.49808 > 193.34.150.174.22: Flags [P.], cksum 0x035d
(correct), seq 3237258086:3237258122, ack 1238688284, win 16347, length 36
17:53:35.572666 IP (tos 0x10, ttl 64, id 29749, offset 0, flags [DF],
proto TCP (6), length 40)
     193.34.150.174.22 > 83.247.48.159.49808: Flags [.], cksum 0x7fed
(correct), seq 1238688284, ack 3237258122, win 105, length 0
17:53:48.459350 IP (tos 0x0, ttl 122, id 8813, offset 0, flags [DF],
proto TCP (6), length 76)
     83.247.48.159.52238 > 193.34.150.174.22: Flags [P.], cksum 0x795e
(correct), seq 3908965070:3908965106, ack 949215874, win 16327, length 36
17:53:48.527273 IP (tos 0x10, ttl 64, id 40921, offset 0, flags [DF],
proto TCP (6), length 40)
     193.34.150.174.22 > 83.247.48.159.52238: Flags [.], cksum 0xeff1
(correct), seq 949215874, ack 3908965106, win 80, length 0
17:53:50.581688 IP (tos 0x0, ttl 122, id 8816, offset 0, flags [DF],
proto TCP (6), length 76)
     83.247.48.159.49808 > 193.34.150.174.22: Flags [P.], cksum 0x7fa1
(correct), seq 3237258122:3237258158, ack 1238688284, win 16347, length 36
17:53:50.581701 IP (tos 0x10, ttl 64, id 29750, offset 0, flags [DF],
proto TCP (6), length 40)
     193.34.150.174.22 > 83.247.48.159.49808: Flags [.], cksum 0x7fc9
(correct), seq 1238688284, ack 3237258158, win 105, length 0

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

Re: tcp sequence and ack number with libpcap, (continued)
- - Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Gert Doering (Aug 19)
- Re: tcp sequence and ack number with libpcap Gianluca Varenni (Aug 19)
  - Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
    - Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
    - Re: tcp sequence and ack number with libpcap Gianluca Varenni (Aug 19)
    - Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
    - Re: tcp sequence and ack number with libpcap Rick Jones (Aug 19)
    - Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
    - Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
    - Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
    - Re: tcp sequence and ack number with libpcap ronnie sahlberg (Aug 19)
    - Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
    - Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
    - Re: tcp sequence and ack number with libpcap ronnie sahlberg (Aug 19)
    - Re: tcp sequence and ack number with libpcap ronnie sahlberg (Aug 19)
    - Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Luis MartinGarcia. (Aug 19)
  - Re: tcp sequence and ack number with libpcap Gert Doering (Aug 19)
    - Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
    - Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)