Understanding TCP Sequence Number with Examples

Updated: 17 hours ago

TCP Sequence Number is a 4-byte field in the TCP header that indicates the first byte of the outgoing segment. The Sequence Number field is always set, even when there is no data in the segment.





Purpose of TCP Sequence Number

TCP is a byte-oriented sequencing protocol. Thus, a Sequence Number fieldis necessary to ensure that missing or misordered packets can be detected and fixed.


If data is lost or arrives at the destination out of order, the TCP module is capable of retransmitting or resequencing the data to restore the original order based on the sequence number.




Tip of TCP Sequence Number

TCP supports full-duplex operation, so both client and server will decide on their initial sequence numbers for the connection, even though data may only flow in one direction for that specific connection. We will demonstrate more this with an example.


Check TCP Sequence Number with Tcpdump

At default, tcpdump shows the packets with a relative sequence number. We can use -S option to get the real sequence number.

Command:

tcpdump -i any -S port 22

Output:



16:05:41.536831 IP 10.79.97.15.61401 > 10.252.8.111.ssh: Flags [S], seq 3739218596, win 65535, options [mss 1350,nop,wscale 6,nop,nop,TS val 968973822 ecr 0,sackOK,eol], length 0

16:05:41.711584 IP 10.252.8.111.ssh > 10.79.97.15.61401: Flags [S.], seq 1322804771, ack 3739218597, win 28960, options [mss 1260,sackOK,TS val 803272772 ecr 968973822,nop,wscale 7], length 0

16:05:41.711656 IP 10.79.97.15.61401 > 10.252.8.111.ssh: Flags [.], ack 1322804772, win 2067, options [nop,nop,TS val 968973997 ecr 803272772], length 0

16:05:41.715127 IP 10.79.97.15.61401 > 10.252.8.111.ssh: Flags [P.], seq 3739218597:3739218618, ack 1322804772, win 2067, options [nop,nop,TS val 968974000 ecr 803272772], length 21

16:05:41.890437 IP 10.252.8.111.ssh > 10.79.97.15.61401: Flags [.], ack 3739218618, win 227, options [nop,nop,TS val 803272951 ecr 968974000], length 0

16:05:41.894555 IP 10.252.8.111.ssh > 10.79.97.15.61401: Flags [P.], seq 1322804772:1322804793, ack 3739218618, win 227, options [nop,nop,TS val 803272956 ecr 968974000], length 21

16:05:41.894610 IP 10.79.97.15.61401 > 10.252.8.111.ssh: Flags [.], ack 1322804793, win 2066, options [nop,nop,TS val 968974178 ecr 803272956], length 0

16:05:41.905007 IP 10.79.97.15.61401 > 10.252.8.111.ssh: Flags [.], seq 3739218618:3739219866, ack 1322804793, win 2066, options [nop,nop,TS val 968974188 ecr 803272956], length 1248

16:05:41.905015 IP 10.79.97.15.61401 > 10.252.8.111.ssh: Flags [P.], seq 3739219866:3739220010, ack 1322804793, win 2066, options [nop,nop,TS val 968974188 ecr 803272956], length 144

16:05:42.071542 IP 10.252.8.111.ssh > 10.79.97.15.61401: Flags [P.], seq 1322804793:1322805553, ack 3739218618, win 227, options [nop,nop,TS val 803273130 ecr 968974178], length 760

16:05:42.071612 IP 10.79.97.15.61401 > 10.252.8.111.ssh: Flags [.], ack 1322805553, win 2054, options [nop,nop,TS val 968974354 ecr 803273130], length 0



Example of TCP Sequence Number

From the above packets, we can see that the sequence number for source:

3739218596 3739218597  3739218618 3739219866

sequence number for destination:

1322804771 1322804772 1322804793

There are 3739219866-3739218596=1270 bytes of data transferred from source to destination and 1322804793-1322804771=22 bytes of data transferred from destination to source.


For the following packet, it has 21 bytes of data (3739218597->739218618). The sequence number is the number of the first byte which should be 3739218597.

16:05:41.715127 IP 10.79.97.15.61401 > 10.252.8.111.ssh: Flags [P.], seq 3739218597:3739218618, ack 1322804772, win 2067, options [nop,nop,TS val 968974000 ecr 803272772], length 21



TCP Sequence Number for Ack segment

As we said at the beginning, every segment has a sequence number. But in the above examples, we can see that some packets don't have sequence numbers. That is because they are ack segments.


Note that the ACK segment does not consume any sequence numbers if it does not carry data. An ACK segment, if carrying no data, consumes no sequence number.



TCP vs UDP - Understanding the Difference

Understanding TCP Socket With Examples

Understanding TCP Sequence Number with Examples

Understanding TCP Flags

Exploring TCP Connection Time_Wait in Linux Netstat


90 views
udemylinux.png

Join our newsletter! Get a free cloud server!  Never miss a post!

Thanks for submitting!