Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Wireshark - To analyze "TCP sequence numbers" or not to analyze. SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Wireshark - To analyze "TCP sequence numbers" or not to analyze.
I've been trobueshooting something I've been seeing for a few months. A wireshark capture I've been anaylyzing has some TCP out of order, Dup Ack's, and previous segment not captured. Application works fine but not sure why I get these errors. When I place the client and server on the same segment and right next to each other I still get the same errors. I was told to uncheck the Analyze TCP sequence numbers and then all the errors disappeared from the pcap file. They informed Wireshark has its own way of looking at the sequence numbers instead of using the raw sequence numbers from the pcap. If I look at every wireshark capture file and have this option unchecked will wireshark disregard any errors it might potentially see. Does wireshark have any issues analyzing a pcap with its own sequence numbers? Any input is greatly appreciated? Anonymous

Sign Up for Free or Log In to start participating in the conversation!