Wireshark · Ethereal-users: [Ethereal-users] sequence/acknowledgement number question

Ethereal-users: [Ethereal-users] sequence/acknowledgement number question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date: Thu, 11 Aug 2005 10:03:57 -0400

I have a question regarding how tcp sequence numbers are calculated and/or 
acknowledged.  I reviewed the RFC, Steven's, and other resources and what 
I read does not jive with what I see displayed or what happens in the read 
world.  What I read is the acknowledgement number is one greater than the 
sequence number.   This seems to only hold true if there is zero bytes of 
data sent.  In example one I see the acknowledgement number 3322332584 for 
the sequence number 3322332583:3322332583(0)

Example 1:
15:45:13.141102 IP (tos 0x0, ttl  60, id 22513, offset 0, flags [none], 
length:60) 10.10.10.241.37679 > 10.10.10.145.22: S 
3322332583:3322332583(0) win 65535 <mss 1460,nop,wscale 
4,nop,nop,timestamp[|tcp]>
15:45:13.141468 IP (tos 0x0, ttl  60, id 63343, offset 0, flags [none], 
length:60) 10.10.10.145.22 > 10.10.10.241.37679: S 
3524895916:3524895916(0) ack 3322332584 win 17376 <mss 1460,nop,wscale 
0,nop,nop,timestamp[|tcp]>

Now example two seems to blow the acknowledgement numbers as I read about 
them.  The sequence numbers are 3322333792:3322334032, I would expect the 
acknowledgement number to be 3322334033 not 3322334032.  Why is the ack 
3322334032 and not 3322334033.  I have been pulling what's left of my hair 
out. I have asked a Track 3 alumni and the two network dudes and they were 
equally perplexed as I was when I showed them this data.

Example 2:
15:45:14.356295 IP (tos 0x0, ttl  60, id 22570, offset 0, flags [none], 
length:292) 10.10.10.241.37679 > 10.10.10.145.22: P 
3322333792:3322334032(240) ack 354898565 win 32761 <nop,nop,timestamp 
1125902767 1122933152>
15:45:14.359383 IP (tos 0x0, ttl  60, id 63509, offset 0, flags [none], 
length:244) 10.10.10.145.22 > 10.10.10.241.37679: P 
3524898565:3524898757(192) ack 3322334032 win 17376 <nop,nop,timestamp 
1122933152 1125902767>

I would really appreciate if somebody could explain this too me.  This has 
been eating away at me and I am assuming it is something very simple.

Regards,
Jim


-----------------------------------------
This message, and any attachments to it, may contain information that
is privileged, confidential, and exempt from disclosure under
applicable law.  If the reader of this message is not the intended
recipient, you are notified that any use, dissemination, distribution,
copying, or communication of this message is strictly prohibited.  If
you have received this message in error, please notify the sender
immediately by return e-mail and delete the message and any
attachments.  Thank you.

Prev by Date: [Ethereal-users] (no subject)
Next by Date: [Ethereal-users] fix cap file
Previous by thread: Re: [Ethereal-users] (no subject)
Next by thread: Re: [Ethereal-users] sequence/acknowledgement number question
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$