How to Do TCP Sequence Number Analysis

By Kary | tutorial

May 10

But more importantly, WHY you should do TCP sequence number analysis. Well, you know all those black and red packets in Wireshark? Sure, you’ve seen them, right? Scary, huh? What if someone says there’s a problem and you see a bunch of those packets in Wireshark. Is that the problem?

This video will show an example of a scary looking section in a capture and walk through exactly what’s going on and if it’s a problem or not. If you’re going to learn packet analysis, it is key that you understand what sequence numbers are for and be able to follow the action in the capture as it relates to the stream of data being tracked by those sequence numbers. The Wireshark Expert Info is just a guide, you need to be able to determine if it’s trustworthy and correct.

Video notes:

  • TCP typically ACKs every other segment
  • Add sequence number, next sequence number, and acknowledgment number to your Wireshark columns
  • Next sequence number is sequence number plus TCP data payload length
  • ACK number tells you what data has been received and what the next received sequence number should be
  • TCP will ACK every packet when in recovery
  • What is a “spurious retransmission”?
  • I meant to slowly slide out of my chair in the beginning but fell somehow. It hurt my back, but nothing some scotch couldn’t fix.

Download the pcap

Share this post! Spread the packet gospel!


About the Author

I like being the hero. Being able to drop a bucket of root cause analysis on a burning network problem has made me a hero (to some people) and it feels real good, y’all. Get good at packet analysis and be the hero too. I also like french fries.

Leave a Comment:

(13) comments

Aaron May 11, 2015

I’m going to go out on a limb here and say that the ~200 ms pause you mention towards the end of the video was a TCP delayed ACK.

    Kary May 11, 2015

    Ding ding! *confetti and balloons*

Carl May 11, 2015

Great post Kary, thanks!

Rohan May 12, 2015

Excellent post!

It would great if you could have a post about how to use TTL, Mac addresses etc. to pick up a transparent device interfering with the flow

Helmuth May 19, 2015

Very helpful explanation again – thanks for that.
What’s wrong with IPX ? ;-)
If i read the RCF correct the 200ms could also be up to 500ms :-)
I’m always confused about Wiresharks interpretation of ‘TCP Out of Order’ – since there is a SACK before requesting the missing packets. So i would prefere wireshark to name out of order packets following a SACK frame ‘Requested retransmission’ – although out of order is correct.
Another useful colum i use is the ‘Delta Time’


    Helmuth May 19, 2015

    RFC – of course

adam September 15, 2015

is there a way to download the capture file you was using in the video ?

    Kary September 15, 2015

    I’ve added it to the post above

Scott October 20, 2015

Just discovered your site and loving the in-depth tutorials.

One question: How do you get the “Nxt Seq” column to calculate? I’m not seeing it as a default option and I’m not sure how to do something like “tcp.seq + tcp.payload.length”


    Kary October 20, 2015

    Hi Scott,

    Wireshark already does this calculation for you. But note that the next sequence number only exists in packets that have TCP data, so it won’t be there for naked ACKs.

    Expand the TCP section of the packet details and look for [Next sequence number: XXXXXX]. Right click on that and hit “Apply as Column”

      Scott October 20, 2015

      Many thanks, Kary. I just saw this comment after catching a split second during the video of you hovering over the “Nxt Seq” column and saw the value is “tcp.nxtseq”, duh. ;-)

      Thanks for the GUI way of doing this, also!

Cj July 2, 2016

Would like to view your tutorials but sadly i am experiencing network peformance issues on my fixed wirless slow band internet service.

Im just sick of the excuses when it comes to fixed wireless broadband. “Oh it’s the wind a tree branch is probably blowing in front of it”. When no wind is around yet when the trees are blowing i have no problems on my 512kbs slowband. So why all of a sudden now. i just know for a fact that when doing support work at a school the EDU or victorias school education internet service in victoria oz.The support admins would never admit that it was a problem on their end.
Our home slowband is government subsidised by our previous government whom was in power and is now being replaced by the NBN. Which is a farce in itself and has certaintly made me decide whom I vote for in this election that is taking place.I some what wonder if the isp is just letting the old legacy previous labour party goverment broadband to run into the ground to force people to switch over to the NBN?…

Mike February 6, 2017

Thx. Kary!
Very valuable (and enjoyable! :)) video (I had to troubleshoot IPX and APPLETALK way back in the ninties …)!
May I ask you for the coloring rule (delay > 200ms or so)?
Thx. again!
Keep on …

Add Your Reply

Leave a Comment: