| Description | This article describes how to analyze the TCP sequence numbers through Wireshark. |
| Scope | FortiGate. |
| Solution |
By default, Wireshark’s TCP dissector tracks the state of each TCP session and provides additional information when problems or potential problems are detected. The analysis is done once for each TCP packet when a capture file is first opened. Packets are processed in the order in which it appears in the packet list.
It is possible to enable or disable this feature via the 'Analyze TCP sequence numbers' TCP dissector preference.
'TCP Analysis' packet detail items:
TCP Analysis flags are added to the TCP protocol tree under 'SEQ/ACK analysis'. Each flag is described below. Terms such as 'next expected sequence number' and 'next expected acknowledgment number' refer to the following:
Next expected sequence number: The last-seen sequence number plus segment length. Set when there are no analysis flags and for zero window probes. This is initially zero and calculated based on the previous packet in the same TCP flow. Note that this may not be the same as the tcp.nxtseq protocol field.
Next expected acknowledgment number: The last-seen sequence number for segments. Set when there are no analysis flags and for zero window probes.
Last-seen acknowledgment number: Always set. Note that this is not the same as the next expected acknowledgment number.
Last-seen acknowledgment number: Always updated for each packet. Note that this is not the same as the next expected acknowledgment number. |
