No announcement yet.

packet analysis

  • Filter
  • Time
  • Show
Clear All
new posts

  • packet analysis

    I’m sure you get a lot of questions but hopefully you can take the time to enlighten me as I’m new to protocol analysis. Thanks in advance, here’s my question:

    I'm a little lost on SEQ and ACK numbers but after running Microsoft Network Monitor 3 to capture a trace to here’s what I “figured” out

    1. In the first TCP packet (the SYN) from the source to the destination the source packet has a “random” SEQ number (I don’t understand how it’s calculated on the first connection) and an ACK of 0.
    2. The return packet from the destination (the SYN and ACK) has a “random” SEQ number and an ACK that is the original SEQ number from the source incremented by 1.
    3. The next packet from the source (the ACK) has a SEQ that matches the ACK from the previous destination to source packet and an ACK that matches the previous SEQ incremented by 1. Since no data has transferred yet this makes sense to me as to why the increment of 1.
    4. Next comes my HTTP GET / request.
    5. The next packet from the destination to the source has a SEQ that matches the previous ACK and an ACK that matches the previous SEQ incremented by the amount of data transferred.
    6. So on and so forth for all subsequent packets.

    So my question is: Is this how the SEQ and ACK numbers work? In a “flip-flop” mode, incremented by the amount of data sent?

  • #2
    Re: packet analysis

    Hi Joe,
    Once you come up with these sorts of questions you are in for lots of a bit of plenty of and quite a bit of

    On the bright side afterwards you will have a good idea of what is actually happening.

    I take it you've looked at Wiki's information on TCP/IP and found it glossed over what you need?
    If so you might want to have a look at RFC 793.
    Now sending someone to look at RFCs is a bit of a mean thing to do so to reduce my guilt (and stop you from going ) I'm going to advise you to only dip in and take what you need.

    The answer to your question can be found at page 26 of that document, the section titled Initial Sequence Number Selection.

    RFCs Are great! (Did I just say that? )
    It is a great way to look up Internet/computing standards.

    Well have fun.
    I don't know anything about (you or your) computers.
    Research/test for yourself when listening to free advice.


    • #3
      Re: packet analysis

      Thanks for the advice and info. I'm off to read the RFC.