How to Do TCP Sequence Number Analysis – PacketBomb

How to Do TCP Sequence Number Analysis

By Kary | tutorial

May 10

But more importantly, WHY you should do TCP sequence number analysis. Well, you know all those black and red packets in Wireshark? Sure, you’ve seen them, right? Scary, huh? What if someone says there’s a problem and you see a bunch of those packets in Wireshark. Is that the problem?

This video will show an example of a scary looking section in a capture and walk through exactly what’s going on and if it’s a problem or not. If you’re going to learn packet analysis, it is key that you understand what sequence numbers are for and be able to follow the action in the capture as it relates to the stream of data being tracked by those sequence numbers. The Wireshark Expert Info is just a guide, you need to be able to determine if it’s trustworthy and correct.

Video notes:

  • TCP typically ACKs every other segment
  • Add sequence number, next sequence number, and acknowledgment number to your Wireshark columns
  • Next sequence number is sequence number plus TCP data payload length
  • ACK number tells you what data has been received and what the next received sequence number should be
  • TCP will ACK every packet when in recovery
  • What is a “spurious retransmission”?
  • I meant to slowly slide out of my chair in the beginning but fell somehow. It hurt my back, but nothing some scotch couldn’t fix.

Download the pcap

Share this post! Spread the packet gospel!

Facebooktwitterredditlinkedinmail
Follow

About the Author

I like being the hero. Being able to drop a bucket of root cause analysis on a burning network problem has made me a hero (to some people) and it feels real good, y’all. Get good at packet analysis and be the hero too. I also like french fries.

Leave a Comment:

(19) comments

Aaron May 11, 2015

I’m going to go out on a limb here and say that the ~200 ms pause you mention towards the end of the video was a TCP delayed ACK.

Reply
    Kary May 11, 2015

    Ding ding! *confetti and balloons*

    Reply
Carl May 11, 2015

Great post Kary, thanks!

Reply
Rohan May 12, 2015

Excellent post!

It would great if you could have a post about how to use TTL, Mac addresses etc. to pick up a transparent device interfering with the flow

Reply
Helmuth May 19, 2015

Very helpful explanation again – thanks for that.
What’s wrong with IPX ? ;-)
If i read the RCF correct the 200ms could also be up to 500ms :-)
I’m always confused about Wiresharks interpretation of ‘TCP Out of Order’ – since there is a SACK before requesting the missing packets. So i would prefere wireshark to name out of order packets following a SACK frame ‘Requested retransmission’ – although out of order is correct.
Another useful colum i use is the ‘Delta Time’

regards
Helmuth

Reply
    Helmuth May 19, 2015

    RFC – of course

    Reply
adam September 15, 2015

is there a way to download the capture file you was using in the video ?

Reply
    Kary September 15, 2015

    I’ve added it to the post above

    Reply
Scott October 20, 2015

Just discovered your site and loving the in-depth tutorials.

One question: How do you get the “Nxt Seq” column to calculate? I’m not seeing it as a default option and I’m not sure how to do something like “tcp.seq + tcp.payload.length”

Thanks!

Reply
    Kary October 20, 2015

    Hi Scott,

    Wireshark already does this calculation for you. But note that the next sequence number only exists in packets that have TCP data, so it won’t be there for naked ACKs.

    Expand the TCP section of the packet details and look for [Next sequence number: XXXXXX]. Right click on that and hit “Apply as Column”

    Reply
      Scott October 20, 2015

      Many thanks, Kary. I just saw this comment after catching a split second during the video of you hovering over the “Nxt Seq” column and saw the value is “tcp.nxtseq”, duh. ;-)

      Thanks for the GUI way of doing this, also!

      Reply
Cj July 2, 2016

Would like to view your tutorials but sadly i am experiencing network peformance issues on my fixed wirless slow band internet service.

Im just sick of the excuses when it comes to fixed wireless broadband. “Oh it’s the wind a tree branch is probably blowing in front of it”. When no wind is around yet when the trees are blowing i have no problems on my 512kbs slowband. So why all of a sudden now. i just know for a fact that when doing support work at a school the EDU or victorias school education internet service in victoria oz.The support admins would never admit that it was a problem on their end.
Our home slowband is government subsidised by our previous government whom was in power and is now being replaced by the NBN. Which is a farce in itself and has certaintly made me decide whom I vote for in this election that is taking place.I some what wonder if the isp is just letting the old legacy previous labour party goverment broadband to run into the ground to force people to switch over to the NBN?…

Reply
Mike February 6, 2017

Thx. Kary!
Very valuable (and enjoyable! :)) video (I had to troubleshoot IPX and APPLETALK way back in the ninties …)!
May I ask you for the coloring rule (delay > 200ms or so)?
Thx. again!
Keep on …

Reply
David March 31, 2017

Great tutorial thanks. Thought it would be help to show the packet-foo url: https://blog.packet-foo.com/

One other point, I was confused by how to add the Seq number columns. I think the key thing is to select a TCP packet in the trace. Even then the ‘Next seq number’ is not always shown in the details pane. Could do with some more explanation there.

Reply
John April 2, 2017

Hi, getting a 404 on the dropbox vpn_rewrite.pcap link.

Reply
    Kary April 4, 2017

    Dropbox changed the public folder settings. Fixed.

    Reply
      John April 19, 2017

      Thanks Kary!

      Reply
SRK April 19, 2017

I AM NOT SURE THE REASON OF WHY THERE WAS A PAUSE OF AROUND 200ms in the VIDEO THAT YOU WERE TALKING ABOUT AT 14:46 SECONDS.KINDLY LET ME KNOW.

THANKS

Reply
    Kary April 19, 2017

    KINDLY READ THE FIRST COMMENT ON THIS POST FOR THE ANSWER :)

    Reply
Add Your Reply

Leave a Comment: