----- Original Message -----
From: "patrick"
Sent: Wednesday, April 14, 2004 5:04 PM
Subject: [Ethereal-dev] ethereal: TCP sequence number conversion
> Here's a problem I've come across and hopefully someone on this list can
help
> me out.
>
> Given an incoming TCP with the header having 0x7C1A32A0 for the sequence
> number. Somehow ethereal is converting that to 167, although of course
> 0x7C1A32A0 is much larger than 167. I don't see anything in the RFC on TCP
> (793) on such a conversion... is ethereal using some algorithm described
in
> another document?
Ethereal is indeed doing a conversion using an algorithm to convert all
sequence numbers into relative sequence numbers.
Relative to the first packet seen for each tcp session in the capture.
You can disable this behaviour in Edit:/Preferences/Protocols/TCP
relative sequence numbers.
The reason for doing this conversion is for human readability.
The sequence numbers themself lack any semantic meaning other than their
relative difference to other sequence and ack numbers in
the same session.
Thus making them smaller, relative to the first segment, preserves their
only semantic meaning (their relative value compared to other segments)
but makes them much easier to read by eyeballing the capture.
Example the difference between 6000 and 7500 is trivial to see.
The difference between 634900723 and 634901223 is also 1500 bytes but it
is much harder to see their relative difference
since the values are so large.
I would say that tools that do not by default make the sequence and ack
numbers relative are human unfriendly and broken.
but i am a bit biased. :-)