I'm confused about the meaning of the "sequence number (raw)" in wireshark when I capture the first SYN package. What is the difference between the "sequence number (relative)" and "sequence number (raw)"?
printscreen in wireshark
The raw sequence number is the actual value assigned on the packet.
WireShark groups TCP sessions and assigns them relative sequence (and acknowledgment) numbers which start from 0 (and incrementing by 1 as it seems, for each subsequent packet) so the user can identify the sequence of events.
According to the corresponding wiki page:
By default Wireshark and TShark will keep track of all TCP sessions and convert all Sequence Numbers (SEQ numbers) and Acknowledge Numbers (ACK Numbers) into relative numbers. This means that instead of displaying the real/absolute SEQ and ACK numbers in the display, Wireshark will display a SEQ and ACK number relative to the first seen segment for that conversation.
That wiki page also includes instructions on how to enable/disable this feature.
To get to that wiki page you can follow some paths including the following:
WireShark home wiki page -> Use WireShark / TShark -> Preferences -> Protcols -> TCP -> TCP_Relative_Sequence_Numbers.
WireShark home wiki page -> References -> PortReference: TCP -> Transmission Control Protocol -> Preference Settings -> TCP_Relative_Sequence_Numbers and TCP Window Scaling.
See also:
How can I get the actual TCP sequence number in Wireshark?
TCP: How are the seq / ack numbers generated? (which led me to TCP's RFC 793, page 27).
Related
I'm creating pseudo TCP packet from scratch (based on some existing data) that can be later analysed using Wireshark.
How should I fill out sequence/acknowledgement number so that in Wireshark we can see a clean flow? Currently, I'm seeing TCP retransmission/out of order/previous segment not captured etc.
What I've tried: increment sequence number with the current TCP packet's length, but it didn't work.
(It doesn't necessarily need to makes sense, I should just get rid of the warnings)
In a situation where both client and server sets their respective sequence number to 0, I read that the following is true:
C-->S: SYN=1, SEQ=0 (No data bytes)
C<--S: SYN=1, SEQ=0, ACK=1 (No data bytes)
C-->S: SEQ=1, ACK=1 (Data bytes optional)
In the third part, I understand the server is expecting the next sequence number to be 1, but aren't sequence numbers supposed to be set to initial_seq_num + sent_data_bytes_num? Since there was no data bytes sent in the first part of the handshake shouldn't the seq # be 0?
Is this just an exception during the handshake or are segments sent to with no data bytes supposed to increment the sequence number by 1 if they can be sent at all?
(There is a similar Q & A but the answer doesn't explain if this is an exception during the handshake phase OR if this happens after a TCP connection has been establish. I'm not even sure if a segment with no data bytes can even be sent. I'm assuming you can't)
ADDED It seems TCP keep-alive packets have no payload either. RFC 1122 says in these packets, SEG.SEQ = SND.NXT-1, and because this sequence number will be an already ACKed number, and a duplicate ACK will be sent, so as to keep the sequence number of the server the same.
Otherwise, I couldn't find any indications of what needs to be done when the sequence number is correct but there is no payload. I might be wrong since I only briefly scanned the document, but there is also no statement of rules of sequence numbering during the handshake except for examples.
In RFC 1122, it says
Unfortunately, some misbehaved TCP implementations fail to respond to a segment with SEG.SEQ = SND.NXT-1 unless the segment contains data.
So I'm assuming it depends on each implementation, but if there is any statement of a) the sequence numbering during handshake, and b) how to behave when the sequence # is correct but there is no payload, I would really appreciate it if someone could point me to that part.
Thanks!
The first ACK (that occurs as part of Handshake) acknowledges the reception of SYN from the other end. The SYN segment does not carry any data. But to allow the provision for acknowledging the reception of SYN, the first ACK is incremented though no payload is present.
The TCPv4 specification (RFC 793) classifies a received segment as unacceptable if it has zero length, a sequence number equal to RCV.NXT+RCV.WND while the receive window is not zero (second row in the table).
This essentially means that the segment will be discarded, other than possibly sending an ACK. No ACK processing or send window update will be done.
What is the justification of this?
Consider this scenario:
Host A sends all possible data segments to host B, just exhausting the receive window of B.
Host A shortly also sends an empty segment, e.g. a window update or acknowledgement of received data. This segment has sequence number equal to the right edge of the receive window of host B (RCV.NXT+RCV.WND), since it was set to the latest SND.NXT of host A.
The mentioned data packets are lost in the network or delayed, and host B receives the empty segment first.
Host B will classify the empty segment as not acceptable, and drop it, ignoring any acknowledgement or window update.
Is there some part that I am not understanding correctly? Is this scenario really possible?
note: I ask here instead of on networkengineering.stackexchange.com since I encountered the issue while implementing a TCP/IP stack and these protocol details seem closer to programming than what is commonly understood as network engineering.
Why do we need the sequence number and the next sequence number field in the TCP header?
Below is a TCP header from a packet captured using wireshark.
First, fields in Wireshark enclosed by [brackets] are computed fields - they're not in the packet. That next sequence number field shown by Wireshark is one such field. Wireshark is computing that by taking the 'sequence number' field and adding it to the payload size of your packet. It's no surprise then that the difference between these two numbers is 1430 - a common TCP payload size.
Sequence numbers in TCP are in units of bytes - they basically say, what byte location in the TCP stream this packet's payload is inserted at.
The 'acknowledged' sequence number shows how many bytes I'm acknowledging as having received.
Since TCP is bidirectional, each end has to declare
Where the bytes its transmitting should go in the stream and
What bytes that you've sent me that I've received.
As such, each TCP packet has two fields that refer to sequence numbers - the 'sequence number' field, and the 'acknowledgment number' field.
Without the 'sequence number' field, the receiving end wouldn't be able to tell if packets were received out of order. Without the 'acknowledgment number' field, the transmitting end wouldn't know if some of his packets had been dropped and the receiver never received them.
Because TCP is a reliable pipe. This means that packets are delivered in sequence (and only once) even though the lower layers don't offer that guarantee. IN order to do this TCP needs housekeeping data, acks, nacks,....
https://en.wikipedia.org/wiki/Transmission_Control_Protocol
The 'next sequence' is an artifact of wireshark, its not actually in the TCP header, ws is just telling you the next packet in its capture file
Every byte (of data send via TCP) has it's own sequence number. This sequence number features in the TCP header (the sequence number field).
I read that this is separate from the sequence number used for the sliding window protocol. This makes me wonder:
Q:
If the sequence number field in the TCP header does not contain the sequence number used for the sliding window protocol - where can the sliding window sequence number be found in the TCP header (or segment)?
The TCP sequence number is used by the protocol to signal the acknowledgement of data acknowledgement.
That is, the sender sends out data with a sequence number in the header of the last byte in the packet.
The receiver returns acknowledgements containing the sequence number of the last byte of data known to have been received. If the transmitter sees the receiver acking data "too long ago" it retransmits the data presumed to have been lost.
If in fact the receiver has received the data retransmitted it knows because of its own highest sequence number that this is so, and can drop part or all of the data received, and send an ack back with the correct sequence so the transmitter can continue.
I think your informant is incorrect BTW. The best book I know of for TCP internals is "TCP/IP Illustrated" by Wright & Stevens, which is well worth getting. See Vol 2 pp 807..812 for all the details...