A Quick Note About TCP Sequence Numbers

I’ve received a lot of feedback from my readers expressing their gratitude that my articles/videos are short and to the point. To those people who took the time to send their feedback, thank you.

One topic that I’ve been asked to cover lately is TCP sequence number analysis. There are many videos out there that are very good. I know, since I watched quite a few of them ;)

After watching 4 or 5 of these videos, I noticed that they weren’t geared towards analysts getting into this level of analysis for the first time and missed a few items that I would have added. So here you go.

In this video I briefly’ cover some of the TCP sequence tips and tricks that I use in the field. The important part is to remember that by default Wireshark will display the relative sequence number. It even displays that note in the detail (middle) pane. You can easily toggle this on and off by right clicking on the TCP sequence number (or anywhere in the TCP header), select Protocol Preferences and check/uncheck Relative Sequence numbers.

I also briefly mention that you can also use the netstat –s command from the command prompt to track lost packets by looking at the TCP Segments Retransmitted counter.

The point of the video is to provide a simple introduction so the whole process of TCP analysis becomes a bit more straightforward.