Wireshark-TCP relative sequence numbers & TCP Window Scaling

TCP relative sequence numbers & TCP Window Scaling

 

By default Wireshark and tshark will keep track of all TCP sessions and convert all sequence numbers (SEQ numbers) and acknowledge numbers (ACK numbers) into relative numbers. this means that instead of displaying the real/absolute seq and ACK numbers in the display, Wireshark will display a seq and ACK number relative to the first seen segment for that conversation.

This means that all seq and ACK numbers always start at 0 for the first packet seen in each conversation.

This makes the numbers much smaller and easier to read and compare than the real numbers which normally are initialized to randomly selected numbers in the range 0-(2 ^ 32) -1 during the SYN phase.

This usability feature relies on features from tcp_analyze_sequence_numbers so in order to use this feature you must also enable tcp_analyze_sequence_numbers.

Using relative sequence numbers is a usability enhancement, making the numbers easier to read and compare. in order to compare a dissection with data from a less advanced analyzer that can not handle relative sequence numbers it might be required to temporarily disable this feature in Wireshark.

For Wireshark versions prior to 1.5: when the relative sequence numbers preference is enabled Wireshark will also enable "Window Scaling ".

For Wireshark 1.5 & newer: "Window Scaling" is a separate TCP preference enabled by default.

If "Window Scaling" is enabled, Wireshark will try to monitor the TCP Window Scaling option negotiated during the SYN phase and if such TCP Window Scaling has been detected, wireshark will also scale the window field and translate it to the valid window size. this may affect what the dissected and reported window is and may make Wireshark to decode packets differently, but more accurately, than other tools.

To disable relative sequence numbers and instead display them as the real absolute numbers, go to the TCP preferences and untick the box for relative sequence numbers.

 

Preference string

 

Relative sequence numbers and Window Scaling.