Re: tcp sequence and ack number with libpcap

[Rick Jones <rick.jones2 () hp com>]

> > Can you provide some examples of those "weird seq and ack numbers"?
>
>
>
> Thanks for your reply.
>
> With weird I meant different than obtained with "tcpdump -vv". There numbers
> are much too high:
>
> seq 101688001 ack 580300460
> seq 103252140 ack 276497601
> seq 101689793 ack 580300460
> seq 101592513 ack 580300460
> seq 102902956 ack 276497601
> seq 102902700 ack 276497601
> seq 101689281 ack 580300460
> seq 101689025 ack 580300460
> seq 102902444 ack 276497601
> seq 101688769 ack 580300460
>
> With "tcpdump -r <file> -n -vv tcp" I get:
>
> 17:53:35.347343 IP (tos 0x10, ttl 64, id 40919, offset 0, flags [DF], proto
> TCP (6), length 92)
>     193.34.150.174.22 > 83.247.48.159.52238: Flags [P.], seq
> 949215706:949215758, ack 3908965070, win 80, length 52

absolute seuqnce numbers reported above

> 17:53:35.347348 IP (tos 0x10, ttl 64, id 40920, offset 0, flags [DF], proto
> TCP (6), length 156)
>     193.34.150.174.22 > 83.247.48.159.52238: Flags [P.], seq 52:168, ack 1,
> win 80, length 116
> 17:53:35.367017 IP (tos 0x0, ttl 122, id 8778, offset 0, flags [DF], proto
> TCP (6), length 40)
>     83.247.48.159.52238 > 193.34.150.174.22: Flags [.], cksum 0xb0f5
> (correct), seq 1, ack 52, win 16356, length 0

almost certainly relative sequence numbers reported there - for any given 
four-tuple of local/remote IP, local/remote port, tcpdump will report the "raw" 
sequence numbers on the first segment it sees and then will subtract those 
values from the sequence numbers in subsequent segments it sees.

Are you printing-out any other characteristics of the TCP segments to act as a 
sanity check - say to make sure you are dealing with the correct offsets?

rick jones
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.