tcpdump mailing list archives
Re: tcp sequence and ack number with libpcap
From: Eloy Paris <peloy () chapus net>
Date: Thu, 19 Aug 2010 18:50:48 -0400
On 08/19/2010 06:44 PM, Andrej van der Zee wrote:
Hi, Hi Andrej, Several others have already mentioned it -- tcpdump is using relative sequence numbers to make it easier to read the output. Large sequence numbers are perfectly valid (after all, they are 32-bit unsigned numbers). Use the -S argument to tcpdump and you'll see tcpdump report large sequence numbers as well, just as your application does. The -S options does not give me the same results either. I did another run with -S and printed the timestamps and length of the packets to absolutely make sure that we are comparing the same thing. Still big differences. This is killing me.
The data below seems to correspond to different TCP sessions. To make sure you are looking at the same session, Gianluca's suggestion seems to be the best -- capture some traffic and save it to a savefile (PCAP) file, and then run the PCAP file through but tcpdump with -S and your own application.
Cheers, Eloy Paris.- netexpect.org
17:53:35.347343 seq 113135041 ack 580300371 len 92 17:53:35.347348 seq 113118401 ack 580300371 len 156 17:53:35.367017 seq 100802387 ack 4147158977 len 40 17:53:35.568407 seq 100802131 ack 4147158977 len 40 17:53:35.572654 seq 100792659 ack 4147158977 len 76 17:53:35.572666 seq 116007873 ack 580300371 len 40 17:53:48.459350 seq 100784211 ack 4147158977 len 76 17:53:48.527273 seq 113147841 ack 580300371 len 40 17:53:50.581688 seq 100783443 ack 4147158977 len 76 andrej@ubuntu:~/caps$ tcpdump -r client_00001_20100818115534.cap -S -n -vv tcp | head -n 20 reading from file client_00001_20100818115534.cap, link-type EN10MB (Ethernet) 17:53:35.347343 IP (tos 0x10, ttl 64, id 40919, offset 0, flags [DF], proto TCP (6), length 92) 193.34.150.174.22 > 83.247.48.159.52238: Flags [P.], seq 949215706:949215758, ack 3908965070, win 80, length 52 17:53:35.347348 IP (tos 0x10, ttl 64, id 40920, offset 0, flags [DF], proto TCP (6), length 156) 193.34.150.174.22 > 83.247.48.159.52238: Flags [P.], seq 949215758:949215874, ack 3908965070, win 80, length 116 17:53:35.367017 IP (tos 0x0, ttl 122, id 8778, offset 0, flags [DF], proto TCP (6), length 40) 83.247.48.159.52238 > 193.34.150.174.22: Flags [.], cksum 0xb0f5 (correct), seq 3908965070, ack 949215758, win 16356, length 0 17:53:35.568407 IP (tos 0x0, ttl 122, id 8779, offset 0, flags [DF], proto TCP (6), length 40) 83.247.48.159.52238 > 193.34.150.174.22: Flags [.], cksum 0xb09e (correct), seq 3908965070, ack 949215874, win 16327, length 0 17:53:35.572654 IP (tos 0x0, ttl 122, id 8780, offset 0, flags [DF], proto TCP (6), length 76) 83.247.48.159.49808 > 193.34.150.174.22: Flags [P.], cksum 0x035d (correct), seq 3237258086:3237258122, ack 1238688284, win 16347, length 36 17:53:35.572666 IP (tos 0x10, ttl 64, id 29749, offset 0, flags [DF], proto TCP (6), length 40) 193.34.150.174.22 > 83.247.48.159.49808: Flags [.], cksum 0x7fed (correct), seq 1238688284, ack 3237258122, win 105, length 0 17:53:48.459350 IP (tos 0x0, ttl 122, id 8813, offset 0, flags [DF], proto TCP (6), length 76) 83.247.48.159.52238 > 193.34.150.174.22: Flags [P.], cksum 0x795e (correct), seq 3908965070:3908965106, ack 949215874, win 16327, length 36 17:53:48.527273 IP (tos 0x10, ttl 64, id 40921, offset 0, flags [DF], proto TCP (6), length 40) 193.34.150.174.22 > 83.247.48.159.52238: Flags [.], cksum 0xeff1 (correct), seq 949215874, ack 3908965106, win 80, length 0 17:53:50.581688 IP (tos 0x0, ttl 122, id 8816, offset 0, flags [DF], proto TCP (6), length 76) 83.247.48.159.49808 > 193.34.150.174.22: Flags [P.], cksum 0x7fa1 (correct), seq 3237258122:3237258158, ack 1238688284, win 16347, length 36 17:53:50.581701 IP (tos 0x10, ttl 64, id 29750, offset 0, flags [DF], proto TCP (6), length 40) 193.34.150.174.22 > 83.247.48.159.49808: Flags [.], cksum 0x7fc9 (correct), seq 1238688284, ack 3237258158, win 105, length 0
- This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Re: tcp sequence and ack number with libpcap, (continued)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Gert Doering (Aug 19)
- Re: tcp sequence and ack number with libpcap Gianluca Varenni (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
- Re: tcp sequence and ack number with libpcap Gianluca Varenni (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Rick Jones (Aug 19)
- Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap ronnie sahlberg (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap ronnie sahlberg (Aug 19)
- Re: tcp sequence and ack number with libpcap ronnie sahlberg (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Gert Doering (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)