6

I'm trying to capture packets and reorganize packets for obtaining original HTTP request.

I'm capturing packets by IPQUEUE(by iptables rule), and I figured out that packets are not captured in order.

I already know that in TCP protocol, packets have to be re-sequenced, so I'm trying to re-sequence packets by sequence number.

According to Wikipedia, the sequence number of TCP is 32 bits number. Then, what happens if sequence number reaches to MAX 32bits number?

Because sequence number of SYN packet is random number, I think this limitation can be reached very fast.

If anybody has a commend on it, or has some links helpful, please leave me a answer.

Wonjae Lee
  • 111
  • 1
  • 1
  • 8

4 Answers4

6

From RFC-1185 

  Avoiding reuse of sequence numbers within the same connection is
  simple in principle: enforce a segment lifetime shorter than the
  time it takes to cycle the sequence space, whose size is
  effectively 2**31.

  If the maximum effective bandwidth at which TCP
  is able to transmit over a particular path is B bytes per second,
  then the following constraint must be satisfied for error-free 
  operation:
      2**31 / B  > MSL (secs)

So In simpler words TCP will take care of it. In addition of this condition TCP also has concept of Timestamps to handle sequence number wrap around condition. From the same above RFC

  Timestamps carried from sender to receiver in TCP Echo options can
  also be used to prevent data corruption caused by sequence number
  wrap-around, as this section describes.

Specifically TCP uses PAWS mechanism to handle TCP wrap around case. You can find more information about PAWS in RFC-1323

a.m.
  • 2,083
  • 1
  • 16
  • 22
0

RFC793 Section 3.3:

It is essential to remember that the actual sequence number space is finite, though very large. This space ranges from 0 to 2*32 - 1. Since the space is finite, all arithmetic dealing with sequence numbers must be performed modulo 2*32. This unsigned arithmetic preserves the relationship of sequence numbers as they cycle from 2**32 - 1 to 0 again. There are some subtleties to computer modulo arithmetic, so great care should be taken in programming the comparison of such values.

Any arithmetics done on the sequence number are modulo 2^32

JosephH
  • 8,465
  • 4
  • 34
  • 62
0

In simple terms, the 32-bit unsigned number will wrap around:

...
0xFFFFFFFE
0xFFFFFFFF
0x00000000
0x00000001
...
Jonathon Reinhart
  • 132,704
  • 33
  • 254
  • 328
  • If the sequence number warp around, how can I differentiate right sequence packet and re-transmitted packet? – Wonjae Lee Jan 28 '13 at 05:45
  • For example, if head sequence number began from 0x00000000 and wrapped around, and finished 0x00000001, how can I know that the packet having 0x00000001 as a sequence number is not retransmission packet? – Wonjae Lee Jan 28 '13 at 05:47
  • 1
    It's not going to wrap around by 0xFFFFFFFF (4G) in one packet. – Jonathon Reinhart Jan 28 '13 at 05:49
  • If I upload 10Gb file on webhard, what happens to Packet Sequence number? If SYN packet sequence number was 0x00000000, and packet transmission goes on, eventually packet sequence number will be 0xFFFFFFFF, and wrapped around, and additional packet will have sequence number 0x00000000. This is my question. How can I determine second 0x00000000 packet is re-transmitted or not? – Wonjae Lee Jan 28 '13 at 06:23
  • Look at this in Wireshark, and you might understand. It's not going to happen like that. – Jonathon Reinhart Jan 28 '13 at 14:58
  • An explanation for that downvote might be helpful, no? – Jonathon Reinhart Mar 14 '14 at 05:14
  • @WonjaeLee The TCP window cannot advance until the receiver acknowledges receiving the data at the beginning of the window. The maximum TCP window size is a bit less than 1GiB. So there is no ambiguity in the end. – DepressedDaniel Dec 31 '16 at 04:00
  • To be clear - these comments are incorrect. Window size has no bearing on sequence number ambiguity; it's all about bandwidth, latency, and the MSL. On a big fat pipe it's entirely possible for a retransmission to be mistaken for a new packet with the same sequence number after the 32-bit number is wrapped around. PAWS uses the TCP timestamp to handle this situation, but without that you can absolutely expect to see it happen. – Nick Nov 13 '18 at 01:39
0

have a look at tcp timestamps section of https://en.wikipedia.org/wiki/Transmission_Control_Protocol

Hao Wang
  • 1
  • A link to a solution is welcome, but please ensure your answer is useful without it: [add context around the link](https://meta.stackexchange.com/a/8259) so your fellow users will have some idea what it is and why it is there, then quote the most relevant part of the page you are linking to in case the target page is unavailable. – cursorrux Jul 21 '22 at 13:32