Ethereal-users: Re: [Ethereal-users] sequence/acknowledgement number question

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Jack Jackson <jack@xxxxxxxxxxxxxxx>
Date: Thu, 11 Aug 2005 14:25:32 -0700
The ack number is the first sequence number that has not been received. Remember that every byte in a TCP message has a sequence number associated with it. The sequence number in the packet header is the sequence number of the first data byte in the message (or the pseudo SYN byte).
Take Example 2 first. As I read the dump, there are 240 TCP bytes. The sequence number of the first byte is 3322333792, the sequence number of the last byte is that plus 239 or 3322334031, so the first sequence number that has not been received is 3322334032, which is what is sent as the ack.
In Example 1, there is no data being sent. This is a keep-alive message. The sender sends a zero length message with a sequence number one less than the expected sequence number. The receiver sees this as an out-of-order packet and responds with an ack, which tells the sender that the TCP stack at the other end still thinks the connection is alive. 

At 07:03 AM 8/11/2005, JamesHorwath@xxxxxxxx wrote:

I have a question regarding how tcp sequence numbers are calculated and/or
acknowledged.  I reviewed the RFC, Steven's, and other resources and what
I read does not jive with what I see displayed or what happens in the read
world.  What I read is the acknowledgement number is one greater than the
sequence number.   This seems to only hold true if there is zero bytes of
data sent.  In example one I see the acknowledgement number 3322332584 for
the sequence number 3322332583:3322332583(0)

Example 1:
15:45:13.141102 IP (tos 0x0, ttl  60, id 22513, offset 0, flags [none],
length:60) 10.10.10.241.37679 > 10.10.10.145.22: S
3322332583:3322332583(0) win 65535 <mss 1460,nop,wscale
4,nop,nop,timestamp[|tcp]>
15:45:13.141468 IP (tos 0x0, ttl  60, id 63343, offset 0, flags [none],
length:60) 10.10.10.145.22 > 10.10.10.241.37679: S
3524895916:3524895916(0) ack 3322332584 win 17376 <mss 1460,nop,wscale
0,nop,nop,timestamp[|tcp]>

Now example two seems to blow the acknowledgement numbers as I read about
them.  The sequence numbers are 3322333792:3322334032, I would expect the
acknowledgement number to be 3322334033 not 3322334032.  Why is the ack
3322334032 and not 3322334033.  I have been pulling what's left of my hair
out. I have asked a Track 3 alumni and the two network dudes and they were
equally perplexed as I was when I showed them this data.

Example 2:
15:45:14.356295 IP (tos 0x0, ttl  60, id 22570, offset 0, flags [none],
length:292) 10.10.10.241.37679 > 10.10.10.145.22: P
3322333792:3322334032(240) ack 354898565 win 32761 <nop,nop,timestamp
1125902767 1122933152>
15:45:14.359383 IP (tos 0x0, ttl  60, id 63509, offset 0, flags [none],
length:244) 10.10.10.145.22 > 10.10.10.241.37679: P
3524898565:3524898757(192) ack 3322334032 win 17376 <nop,nop,timestamp
1122933152 1125902767>

I would really appreciate if somebody could explain this too me.  This has
been eating away at me and I am assuming it is something very simple.

Regards,
Jim