Tcpdump and windump (which are really the same program, but running on different platform) keep a table in memory of TCP connections, and subtract out some starting sequence number from their display for each TCP packet that they see. If a SYN packet is seen for the TCP connection, then of course the sequence number being subtracted out is the ISN (initial sequence number) used in the SYN packet. If not (if the TCP connection was already active when windump / tcpdump started), then I suspect it subtracts out the first sequence number that it sees for that TCP connection. Therefore, if you start windump and tcpdump on two different machines at two different times, I would guess it would show some disparity between the sequence numbers depending on exactly which packet each dump program saw first.
To see if both machines are really seeing the same packets, use the "-S" option on the windump / tcpdump command line. This will give you absolute sequence numbers rather than relative. See: http://windump.polito.it/docs/manual.htm --David -----Original Message----- From: Celine Danelon [mailto:cdanelon@;laas.fr] Sent: Friday, November 15, 2002 2:17 AM To: [EMAIL PROTECTED] Subject: [WinPcap-users] problem with sequence number using windump and tcpdump When i launch an istance of windump and tcpdump at the same time i capture the same paquets but the sequence numbers are different. Why ? is it link with the little endian ad the big endian differences ? if so, how does it work ? I give you an axample : src > dst : . ack 10223 (using windump) src > dsr : . ack 28254 (using tcpdump) If anybody could help me to understand, thanks. C�line ================================================================= This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@;winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe ================================================================= ================================================================= This is the WinPcap users list. It is archived at http://www.mail-archive.com/winpcap-users@;winpcap.polito.it/ To unsubscribe use mailto: [EMAIL PROTECTED]?body=unsubscribe =================================================================
