It does happen from time to time.
Most commonly when you have a retransmitted packet early in the trace
that has a sequence number "before" the first packet seen.
In that case those retransmitted packets just get a negative sequence
number (~ -2 billion something).
You get used to it and it is not really much of a big deal.
On Mon, Aug 17, 2009 at 5:45 PM, Selçuk Cevher<cevhers@xxxxxxxxx> wrote:
> Hi,
>
> I made some tests with Wireshark using some sample PCAP files.
>
> I noticed that Wireshark stores the sequence number of the first segment
> belonging to a specific connection that it comes across in the PCAP file as
> the ISN (initial sequence number) of that connection.
>
> I always thought that there might be a possibility that the first segment of
> a TCP stream (with the sequence number of ISN+1) may appear "after", for
> example, 2nd segment of a certain TCP connection.
>
> Was this thought totally wrong that we never come across such a case ? or
> Does Wireshark not handle such a case which may actually occur in practice ?
>
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
