tcpdump mailing list archives
Re: tcp sequence and ack number with libpcap
From: Andrej van der Zee <andrejvanderzee () gmail com>
Date: Fri, 20 Aug 2010 07:44:46 +0900
Hi, Hi Andrej,
Several others have already mentioned it -- tcpdump is using relative sequence numbers to make it easier to read the output. Large sequence numbers are perfectly valid (after all, they are 32-bit unsigned numbers). Use the -S argument to tcpdump and you'll see tcpdump report large sequence numbers as well, just as your application does.
The -S options does not give me the same results either. I did another run with -S and printed the timestamps and length of the packets to absolutely make sure that we are comparing the same thing. Still big differences. This is killing me. 17:53:35.347343 seq 113135041 ack 580300371 len 92 17:53:35.347348 seq 113118401 ack 580300371 len 156 17:53:35.367017 seq 100802387 ack 4147158977 len 40 17:53:35.568407 seq 100802131 ack 4147158977 len 40 17:53:35.572654 seq 100792659 ack 4147158977 len 76 17:53:35.572666 seq 116007873 ack 580300371 len 40 17:53:48.459350 seq 100784211 ack 4147158977 len 76 17:53:48.527273 seq 113147841 ack 580300371 len 40 17:53:50.581688 seq 100783443 ack 4147158977 len 76 andrej@ubuntu:~/caps$ tcpdump -r client_00001_20100818115534.cap -S -n -vv tcp | head -n 20 reading from file client_00001_20100818115534.cap, link-type EN10MB (Ethernet) 17:53:35.347343 IP (tos 0x10, ttl 64, id 40919, offset 0, flags [DF], proto TCP (6), length 92) 193.34.150.174.22 > 83.247.48.159.52238: Flags [P.], seq 949215706:949215758, ack 3908965070, win 80, length 52 17:53:35.347348 IP (tos 0x10, ttl 64, id 40920, offset 0, flags [DF], proto TCP (6), length 156) 193.34.150.174.22 > 83.247.48.159.52238: Flags [P.], seq 949215758:949215874, ack 3908965070, win 80, length 116 17:53:35.367017 IP (tos 0x0, ttl 122, id 8778, offset 0, flags [DF], proto TCP (6), length 40) 83.247.48.159.52238 > 193.34.150.174.22: Flags [.], cksum 0xb0f5 (correct), seq 3908965070, ack 949215758, win 16356, length 0 17:53:35.568407 IP (tos 0x0, ttl 122, id 8779, offset 0, flags [DF], proto TCP (6), length 40) 83.247.48.159.52238 > 193.34.150.174.22: Flags [.], cksum 0xb09e (correct), seq 3908965070, ack 949215874, win 16327, length 0 17:53:35.572654 IP (tos 0x0, ttl 122, id 8780, offset 0, flags [DF], proto TCP (6), length 76) 83.247.48.159.49808 > 193.34.150.174.22: Flags [P.], cksum 0x035d (correct), seq 3237258086:3237258122, ack 1238688284, win 16347, length 36 17:53:35.572666 IP (tos 0x10, ttl 64, id 29749, offset 0, flags [DF], proto TCP (6), length 40) 193.34.150.174.22 > 83.247.48.159.49808: Flags [.], cksum 0x7fed (correct), seq 1238688284, ack 3237258122, win 105, length 0 17:53:48.459350 IP (tos 0x0, ttl 122, id 8813, offset 0, flags [DF], proto TCP (6), length 76) 83.247.48.159.52238 > 193.34.150.174.22: Flags [P.], cksum 0x795e (correct), seq 3908965070:3908965106, ack 949215874, win 16327, length 36 17:53:48.527273 IP (tos 0x10, ttl 64, id 40921, offset 0, flags [DF], proto TCP (6), length 40) 193.34.150.174.22 > 83.247.48.159.52238: Flags [.], cksum 0xeff1 (correct), seq 949215874, ack 3908965106, win 80, length 0 17:53:50.581688 IP (tos 0x0, ttl 122, id 8816, offset 0, flags [DF], proto TCP (6), length 76) 83.247.48.159.49808 > 193.34.150.174.22: Flags [P.], cksum 0x7fa1 (correct), seq 3237258122:3237258158, ack 1238688284, win 16347, length 36 17:53:50.581701 IP (tos 0x10, ttl 64, id 29750, offset 0, flags [DF], proto TCP (6), length 40) 193.34.150.174.22 > 83.247.48.159.49808: Flags [.], cksum 0x7fc9 (correct), seq 1238688284, ack 3237258158, win 105, length 0 - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Re: tcp sequence and ack number with libpcap, (continued)
- Re: tcp sequence and ack number with libpcap Mark Bednarczyk (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Gert Doering (Aug 19)
- Re: tcp sequence and ack number with libpcap Gianluca Varenni (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
- Re: tcp sequence and ack number with libpcap Gianluca Varenni (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Rick Jones (Aug 19)
- Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Eloy Paris (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Mark Bednarczyk (Aug 19)
- Re: tcp sequence and ack number with libpcap ronnie sahlberg (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap ronnie sahlberg (Aug 19)
- Re: tcp sequence and ack number with libpcap ronnie sahlberg (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)
- Re: tcp sequence and ack number with libpcap Gert Doering (Aug 19)
- Re: tcp sequence and ack number with libpcap Andrej van der Zee (Aug 19)