Re: tcp sequence and ack number with libpcap

[ronnie sahlberg <ronniesahlberg () gmail com>]

Note:
The relative numbers are not part of the TCP protocol.
The relative numbers does not actually exist. Only the absolute
numbers exist in the packets.

Relative numbers are an invention inside tcpdump to make the printed
numbers easier to read for humans.


Example:
Try deleting the first 10 packets from your capture file.
(The editcap tool that is part of wireshark can be used to do this.)
Then run the resulting capture through tcpdump again.

See that the sequence and ack numbers of the packets that remained
have changed compared to when you dumped the original trace.

Now use -S to print the correct/absolute numbers instead and see that
this time they are the same.


regards
ronnie sahlberg



On Fri, Aug 20, 2010 at 9:15 AM, Andrej van der Zee
<andrejvanderzee () gmail com> wrote:
> Hi,
>
>
>
> >  const struct tcphdr * tcp_hdr = (const struct tcphdr *)(sp + ETHER_HDRLEN
> > > + IP_HL(ip));
> > >
> > > This is surely wrong.
> > > The size of the IP header is IP_HL(ip)*4  not IP_HL(ip)
> > Thank you very much! Now I do get the same seq  and ack number for my app
> > and tcpdump -vv.
> Though, unfortunately I turn out to need the relative sequence and ack
> number. How do I get those?
>
> Thank you,
> Andrej
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.