Why TCP_Relative_Sequence_Numbers don't start at 0 ?
I used wireshark to capture a tcp packet. I found out my "relative sequence number" alway equal "sequence Number (raw). Why it don't start at 0??
Transmission Control Protocol, Src Port: 63620, Dst Port: 443, Seq: 1052312681 Sequence Number: 1052312681 (relative sequence number) Sequence Number (raw): 1052312681 Acknowledgment Number: 0 Acknowledgment number (raw): 0 1011 .... = Header Length: 44 bytes (11) Flags: 0x002 (SYN)
I add wireshark -v output.
Wireshark 4.0.4 (v4.0.4-0-gea14d468d9ca).
Copyright 1998-2023 Gerald Combs [email protected] and contributors. Licensed under the terms of the GNU General Public License (version 2 or later). This is free software; see the file named COPYING in the distribution. There is NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) using Clang 13.0.0 (clang-1300.0.29.30), with GLib 2.68.4, with PCRE2, with zlib 1.2.11, with Qt 6.2.4, with libpcap, without POSIX capabilities, with Lua 5.2.4, with GnuTLS 3.6.15 and PKCS #11 support, with Gcrypt 1.8.7, with Kerberos (MIT), with MaxMind, with nghttp2 1.46.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.9, with libsmi 0.4.8, with QtMultimedia, with automatic updates using Sparkle, with SpeexDSP (using system library), with Minizip, with binary plugins.
Running on macOS 13.2.1, build 22D68 (Darwin 22.3.0), with Apple M1, with 16384 MB of physical memory, with GLib 2.68.4, with PCRE2 10.39 2021-10-29, with zlib 1.2.11, with Qt 6.2.4, with libpcap 1.10.1, with c-ares 1.15.0, with GnuTLS 3.6.15, with Gcrypt 1.8.7, with nghttp2 1.46.0, with brotli 1.0.9, with LZ4 1.9.2, with Zstandard 1.4.2, with libsmi 0.4.8, with LC_TYPE=C, binary plugins supported.
Can you add the output of
wireshark -v
orHelp->About Wireshark:Wireshark
to the question.This can be recreated with The Ultimate PCAP
v20221220
and a display filter oftcp.seq == tcp.seq_raw
.In that case, the
TCP
header being decoded is part of aICMP
response packet.(The CloudFlare gods are out to get me today. Sorry for the multiple comment attempts.)