wireshark 中序列号(原始)的含义

Meaning ofsequence number (raw) in wireshark

当我捕获第一个 SYN 包时,我对 wireshark 中的“序列号(原始)”的含义感到困惑。 “序列号(相对)”和“序列号(原始)”有什么区别?

printscreen in wireshark

原始序列号是分配给数据包的实际值。

WireShark 将 TCP 会话分组并为它们分配从 0 开始的相对序列(和确认)编号(并且对于每个后续数据包似乎递增 1)以便用户可以识别事件的顺序。

根据the corresponding wiki page

By default Wireshark and TShark will keep track of all TCP sessions and convert all Sequence Numbers (SEQ numbers) and Acknowledge Numbers (ACK Numbers) into relative numbers. This means that instead of displaying the real/absolute SEQ and ACK numbers in the display, Wireshark will display a SEQ and ACK number relative to the first seen segment for that conversation.

该 wiki 页面还包含有关如何 enable/disable 此功能的说明。

要访问该 wiki 页面,您可以遵循以下路径:

  1. WireShark home wiki page -> Use WireShark / TShark -> Preferences -> 协议 -> TCP -> TCP_Relative_Sequence_Numbers.
  2. WireShark 主页 wiki 页面 -> References -> PortReference: TCP -> Transmission Control Protocol -> Preference Settings -> TCP_Relative_Sequence_Numbers 和 TCP Window 缩放。

另请参阅:

  1. How can I get the actual TCP sequence number in Wireshark?
  2. TCP: How are the seq / ack numbers generated? (which led me to TCP's RFC 793, page 27).