使用 scapy 发送 TCP 握手,但在 wireshark 中序列号错误?
Using scapy to send TCP handshake, but in wireshark the seq number is wrong?
例如有2台主机A和B,其IP地址分别为192.168.10.132和192.168.10.138。主机 A 发送一个 seq=1 的 TCP 数据包,B 回复一个 ack=1 和 seq=2 的数据包,依此类推。
代码如下:
send(IP(dst='192.168.10.138', src='192.168.10.132')/TCP(sport=54321, dport=32145, seq=1, flags='S')) # Host A
send(IP(dst='192.168.10.132', src='192.168.10.138')/TCP(sport=32145, dport=54321, seq=2, ack=1, flags='SA')) # Host B
但是在wireshark中,第一个抓包显示seq=0?
为什么会出现这种情况?或者我的代码有什么问题?
这实际上是一项功能,如 Wireshark's wiki page 中所述:
By default Wireshark and TShark will keep track of all TCP sessions and convert all Sequence Numbers (SEQ numbers) and Acknowledge Numbers (ACK numbers) into relative numbers. This means that instead of displaying the real/absolute SEQ and ACK numbers in the display, Wireshark will display a SEQ and ACK number relative to the first seen segment for that conversation.
This means that all SEQ and ACK numbers always start at 0 for the first packet seen in each conversation.
This makes the numbers much smaller and easier to read and compare than the real numbers which normally are initialized to randomly selected numbers in the range 0 - (2^32)-1 during the SYN phase.
如果您对某个数据包的 SEQ 数字字段的实际值感兴趣,您可以在 数据包详细信息 窗格并在 数据包字节数 窗格中查看其值。
或者,wiki 建议如何完全禁用该功能:
Using relative sequence numbers is a usability enhancement, making the numbers easier to read and compare. In order to compare a dissection with data from a less advanced analyzer that can not handle relative sequence numbers it might be required to temporarily disable this feature in Wireshark.
For Wireshark versions prior to 1.5: When the Relative Sequence Numbers preference is enabled Wireshark will also enable "Window Scaling".
For Wireshark 1.5 & newer: "Window Scaling" is a separate TCP preference enabled by default.
If "Window Scaling" is enabled, Wireshark will try to monitor the TCP Window Scaling option negotiated during the SYN phase and if such TCP Window Scaling has been detected, Wireshark will also scale the window field and translate it to the effective window size. This may affect what the dissected and reported window is and may make Wireshark to decode packets differently, but more accurately, than other tools.
To disable relative sequence numbers and instead display them as the real absolute numbers, go to the TCP preferences and untick the box for relative sequence numbers.
例如有2台主机A和B,其IP地址分别为192.168.10.132和192.168.10.138。主机 A 发送一个 seq=1 的 TCP 数据包,B 回复一个 ack=1 和 seq=2 的数据包,依此类推。
代码如下:
send(IP(dst='192.168.10.138', src='192.168.10.132')/TCP(sport=54321, dport=32145, seq=1, flags='S')) # Host A
send(IP(dst='192.168.10.132', src='192.168.10.138')/TCP(sport=32145, dport=54321, seq=2, ack=1, flags='SA')) # Host B
但是在wireshark中,第一个抓包显示seq=0?
为什么会出现这种情况?或者我的代码有什么问题?
这实际上是一项功能,如 Wireshark's wiki page 中所述:
By default Wireshark and TShark will keep track of all TCP sessions and convert all Sequence Numbers (SEQ numbers) and Acknowledge Numbers (ACK numbers) into relative numbers. This means that instead of displaying the real/absolute SEQ and ACK numbers in the display, Wireshark will display a SEQ and ACK number relative to the first seen segment for that conversation.
This means that all SEQ and ACK numbers always start at 0 for the first packet seen in each conversation.
This makes the numbers much smaller and easier to read and compare than the real numbers which normally are initialized to randomly selected numbers in the range
0 - (2^32)-1during the SYN phase.
如果您对某个数据包的 SEQ 数字字段的实际值感兴趣,您可以在 数据包详细信息 窗格并在 数据包字节数 窗格中查看其值。
或者,wiki 建议如何完全禁用该功能:
Using relative sequence numbers is a usability enhancement, making the numbers easier to read and compare. In order to compare a dissection with data from a less advanced analyzer that can not handle relative sequence numbers it might be required to temporarily disable this feature in Wireshark.
For Wireshark versions prior to 1.5: When the Relative Sequence Numbers preference is enabled Wireshark will also enable "Window Scaling".
For Wireshark 1.5 & newer: "Window Scaling" is a separate TCP preference enabled by default.
If "Window Scaling" is enabled, Wireshark will try to monitor the TCP Window Scaling option negotiated during the SYN phase and if such TCP Window Scaling has been detected, Wireshark will also scale the window field and translate it to the effective window size. This may affect what the dissected and reported window is and may make Wireshark to decode packets differently, but more accurately, than other tools.
To disable relative sequence numbers and instead display them as the real absolute numbers, go to the TCP preferences and untick the box for relative sequence numbers.