Re: tcp sequence and ack number with libpcap

[Eloy Paris <peloy () chapus net>]

Hi Andrej,

Several others have already mentioned it -- tcpdump is using relative 
sequence numbers to make it easier to read the output. Large sequence 
numbers are perfectly valid (after all, they are 32-bit unsigned numbers).

Use the -S argument to tcpdump and you'll see tcpdump report large 
sequence numbers as well, just as your application does.

Cheers,

Eloy Paris.-
netexpect.org

On 08/19/2010 06:23 PM, Andrej van der Zee wrote:

> Hi,
>
>   Source port and dest number seem to be ok, so I guess this is not the
> > > problem. Nevertheless, I tried the code below but it does not make a
> > > difference. Why do I get those weird seq and ack numbers? I am really
> > > stuck...
> >
> > Can you provide some examples of those "weird seq and ack numbers"?
>
>
> Thanks for your reply.
>
> With weird I meant different than obtained with "tcpdump -vv". There numbers
> are much too high:
>
> seq 101688001 ack 580300460
> seq 103252140 ack 276497601
> seq 101689793 ack 580300460
> seq 101592513 ack 580300460
> seq 102902956 ack 276497601
> seq 102902700 ack 276497601
> seq 101689281 ack 580300460
> seq 101689025 ack 580300460
> seq 102902444 ack 276497601
> seq 101688769 ack 580300460
>
> With "tcpdump -r<file>  -n -vv tcp" I get:
>
> 17:53:35.347343 IP (tos 0x10, ttl 64, id 40919, offset 0, flags [DF], proto
> TCP (6), length 92)
>      193.34.150.174.22>  83.247.48.159.52238: Flags [P.], seq
> 949215706:949215758, ack 3908965070, win 80, length 52
> 17:53:35.347348 IP (tos 0x10, ttl 64, id 40920, offset 0, flags [DF], proto
> TCP (6), length 156)
>      193.34.150.174.22>  83.247.48.159.52238: Flags [P.], seq 52:168, ack 1,
> win 80, length 116
> 17:53:35.367017 IP (tos 0x0, ttl 122, id 8778, offset 0, flags [DF], proto
> TCP (6), length 40)
>      83.247.48.159.52238>  193.34.150.174.22: Flags [.], cksum 0xb0f5
> (correct), seq 1, ack 52, win 16356, length 0
> 17:53:35.568407 IP (tos 0x0, ttl 122, id 8779, offset 0, flags [DF], proto
> TCP (6), length 40)
>      83.247.48.159.52238>  193.34.150.174.22: Flags [.], cksum 0xb09e
> (correct), seq 1, ack 168, win 16327, length 0
> 17:53:35.572654 IP (tos 0x0, ttl 122, id 8780, offset 0, flags [DF], proto
> TCP (6), length 76)
>      83.247.48.159.49808>  193.34.150.174.22: Flags [P.], cksum 0x035d
> (correct), seq 3237258086:3237258122, ack 1238688284, win 16347, length 36
> 17:53:35.572666 IP (tos 0x10, ttl 64, id 29749, offset 0, flags [DF], proto
> TCP (6), length 40)
>      193.34.150.174.22>  83.247.48.159.49808: Flags [.], cksum 0x7fed
> (correct), seq 1, ack 36, win 105, length 0
> 17:53:48.459350 IP (tos 0x0, ttl 122, id 8813, offset 0, flags [DF], proto
> TCP (6), length 76)
>      83.247.48.159.52238>  193.34.150.174.22: Flags [P.], cksum 0x795e
> (correct), seq 1:37, ack 168, win 16327, length 36
> 17:53:48.527273 IP (tos 0x10, ttl 64, id 40921, offset 0, flags [DF], proto
> TCP (6), length 40)
>      193.34.150.174.22>  83.247.48.159.52238: Flags [.], cksum 0xeff1
> (correct), seq 168, ack 37, win 80, length 0
> 17:53:50.581688 IP (tos 0x0, ttl 122, id 8816, offset 0, flags [DF], proto
> TCP (6), length 76)
>      83.247.48.159.49808>  193.34.150.174.22: Flags [P.], cksum 0x7fa1
> (correct), seq 36:72, ack 1, win 16347, length 36
> 17:53:50.581701 IP (tos 0x10, ttl 64, id 29750, offset 0, flags [DF], proto
> TCP (6), length 40)
>      193.34.150.174.22>  83.247.48.159.49808: Flags [.], cksum 0x7fc9
> (correct), seq 1, ack 72, win 105, length 0
> -
> This is the tcpdump-workers list.
> Visit https://cod.sandelman.ca/ to unsubscribe.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.