ethereal sequence and acknowledgement numbers question
Results 1 to 3 of 3

Thread: ethereal sequence and acknowledgement numbers question

  1. #1
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407

    ethereal sequence and acknowledgement numbers question

    I'm messing with a snort log file and looking at it in ethereal. When I look at the seq and ack
    numbers in the tcp header, it is reporting 1022 for seq when the number is 0xe8523472 hex
    (3897701490 decimal) and 198 for ack when the number is 0x99b591a6 hex (2578813350 decimal).

    Is there a reason for this or some formula I can use to convert the decimal number to the number
    ethereal is showing me? Thanks.

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    These seq or ack numbers are always relative to the initial number
    given by the SYN (SYN/ACK) packet[1], which is large to avoid
    unwanted duplications.

    Example:
    Code:
     
                              sequence       acknowledgment
    1. -> SYN packet        : fd 89 2a af    00 00 00 00
    1. <- SYN/ACK packet    : 48 51 e7 74    fd 89 2a b0
    2. -> packet            : fd 89 2a b0    48 51 e7 75
    etc.

    Cheers

    [1] http://www.faqs.org/rfcs/rfc793.html, p.23ff
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  3. #3
    Elite Hacker
    Join Date
    Mar 2003
    Posts
    1,407
    I'm not saying it isn't large. I was wondering why ethereal was saying it was 1022 when it was really 3897701490. Either I'm missing something or they screwed something up.

    edit
    sec_ware explained it to me in PM since I failed to grasp his post. Ethereal is simply giving an offset from the initial sequence number. Thanks sec_ware.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •