Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: Re: [Wireshark-users] TCP sequence number

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 22 Dec 2009 18:55:55 -0800
On Dec 22, 2009, at 6:29 PM, Rayne wrote:

> I would like to know how Wireshark reads the sequence number. I have a packet with the Sequence number displayed as 3273, but the corresponding bytes are "2e b2 cf 43". How did Wireshark get 3273 from 2e b2 cf 43?

By fetching the bytes in question in network byte order, and then subtracting the initial sequence number for the TCP connection from it.

(I.e., by default, it displays relative sequence numbers, not absolute sequence numbers.)
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube