Re: tcp sequence and ack number with libpcap

[Andrej van der Zee <andrejvanderzee () gmail com>]

Hi,

Hi Andrej,
> Several others have already mentioned it -- tcpdump is using relative
> sequence numbers to make it easier to read the output. Large sequence
> numbers are perfectly valid (after all, they are 32-bit unsigned numbers).
>
> Use the -S argument to tcpdump and you'll see tcpdump report large sequence
> numbers as well, just as your application does.
The -S options does not give me the same results either. I did another run
with -S and printed the timestamps and length of the packets to absolutely
make sure that we are comparing the same thing. Still big differences. This
is killing me.

17:53:35.347343 seq 113135041 ack 580300371 len 92
17:53:35.347348 seq 113118401 ack 580300371 len 156
17:53:35.367017 seq 100802387 ack 4147158977 len 40
17:53:35.568407 seq 100802131 ack 4147158977 len 40
17:53:35.572654 seq 100792659 ack 4147158977 len 76
17:53:35.572666 seq 116007873 ack 580300371 len 40
17:53:48.459350 seq 100784211 ack 4147158977 len 76
17:53:48.527273 seq 113147841 ack 580300371 len 40
17:53:50.581688 seq 100783443 ack 4147158977 len 76


andrej@ubuntu:~/caps$ tcpdump -r client_00001_20100818115534.cap -S -n -vv
tcp  | head -n 20
reading from file client_00001_20100818115534.cap, link-type EN10MB
(Ethernet)
17:53:35.347343 IP (tos 0x10, ttl 64, id 40919, offset 0, flags [DF], proto
TCP (6), length 92)
    193.34.150.174.22 > 83.247.48.159.52238: Flags [P.], seq
949215706:949215758, ack 3908965070, win 80, length 52
17:53:35.347348 IP (tos 0x10, ttl 64, id 40920, offset 0, flags [DF], proto
TCP (6), length 156)
    193.34.150.174.22 > 83.247.48.159.52238: Flags [P.], seq
949215758:949215874, ack 3908965070, win 80, length 116
17:53:35.367017 IP (tos 0x0, ttl 122, id 8778, offset 0, flags [DF], proto
TCP (6), length 40)
    83.247.48.159.52238 > 193.34.150.174.22: Flags [.], cksum 0xb0f5
(correct), seq 3908965070, ack 949215758, win 16356, length 0
17:53:35.568407 IP (tos 0x0, ttl 122, id 8779, offset 0, flags [DF], proto
TCP (6), length 40)
    83.247.48.159.52238 > 193.34.150.174.22: Flags [.], cksum 0xb09e
(correct), seq 3908965070, ack 949215874, win 16327, length 0
17:53:35.572654 IP (tos 0x0, ttl 122, id 8780, offset 0, flags [DF], proto
TCP (6), length 76)
    83.247.48.159.49808 > 193.34.150.174.22: Flags [P.], cksum 0x035d
(correct), seq 3237258086:3237258122, ack 1238688284, win 16347, length 36
17:53:35.572666 IP (tos 0x10, ttl 64, id 29749, offset 0, flags [DF], proto
TCP (6), length 40)
    193.34.150.174.22 > 83.247.48.159.49808: Flags [.], cksum 0x7fed
(correct), seq 1238688284, ack 3237258122, win 105, length 0
17:53:48.459350 IP (tos 0x0, ttl 122, id 8813, offset 0, flags [DF], proto
TCP (6), length 76)
    83.247.48.159.52238 > 193.34.150.174.22: Flags [P.], cksum 0x795e
(correct), seq 3908965070:3908965106, ack 949215874, win 16327, length 36
17:53:48.527273 IP (tos 0x10, ttl 64, id 40921, offset 0, flags [DF], proto
TCP (6), length 40)
    193.34.150.174.22 > 83.247.48.159.52238: Flags [.], cksum 0xeff1
(correct), seq 949215874, ack 3908965106, win 80, length 0
17:53:50.581688 IP (tos 0x0, ttl 122, id 8816, offset 0, flags [DF], proto
TCP (6), length 76)
    83.247.48.159.49808 > 193.34.150.174.22: Flags [P.], cksum 0x7fa1
(correct), seq 3237258122:3237258158, ack 1238688284, win 16347, length 36
17:53:50.581701 IP (tos 0x10, ttl 64, id 29750, offset 0, flags [DF], proto
TCP (6), length 40)
    193.34.150.174.22 > 83.247.48.159.49808: Flags [.], cksum 0x7fc9
(correct), seq 1238688284, ack 3237258158, win 105, length 0
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.