jNetPcap acknowledgement value

Question

im trying to retrieve the ack from the tcp like the one wireshark returns. In wireshark it returns an ack of 1 or 647. But when i'm trying to get the ack from the packet it returns a long number that is nothing similar to the ack wireshark returns.

I get these acks:

1918004163 3350411129 3083820792 1730247758 3668869711 4218577993

This is my code:

 if (packet.hasHeader(tcp) && packet.hasHeader(ip)) {
                        long tcpack = packet.getHeader(tcp).ack();

                        String name = packet.getHeader(tcp).getName();
                        int urgent = packet.getHeader(tcp).urgent();
                        int windowScaled = packet.getHeader(tcp).windowScaled();
                        int window = packet.getHeader(tcp).window();
                        int wirelen = packet.getCaptureHeader().wirelen();
                        // System.out.println("WireLen: "+wirelen);
                        int caplen = packet.getCaptureHeader().caplen();
                        // System.out.println("caplen: "+caplen);
                        String ipTypeString = ip.typeEnum().toString();
                        // System.out.println("IP Type: "+ipTypeString);
                        String ipDescription = ip.getDescription();
                        // System.out.println("IP Description: "+ipDescription);
                        byte[] dIP = packet.getHeader(ip).destination();
                        byte[] sIP = packet.getHeader(ip).source();
                        String sourceIP = FormatUtils.ip(sIP);
                        // System.out.println("Source IP: "+sourceIP);
                        String destinationIP = FormatUtils.ip(dIP);
                        // System.out.println("Destination IP: "+destinationIP);
                        int tcpPORTSource = tcp.source();
                        // System.out.println("TCP PORT Source:
                        // "+tcpPORTSource);
                        int tcpPORTDestination = tcp.destination();
                        // System.out.println("TCP PORT Destination:
                        // "+tcpPORTDestination);
                        if (sourceIP.equals("someip") && tcpPORTSource == 0000 && ipTypeString.equals("TCP")
                                && wirelen == 1514) {
//                          System.out.println("TCP ack: "+tcpack+" name: "+name+ " urgent: "+urgent + " window scaled: "+windowScaled+ " window: "+window);
                        }

How do i retrieve the same ack value as wireshark?

score 0 · Answer 1 · answered Nov 18 '16 at 05:45

0

You can't. The numbers you are seeing in wireshark is those in No. column, right? They are assigned by wireshark and not info that is available in packets.

answered Nov 18 '16 at 05:45

kaitoy

1,545
9
16

score 0 · Answer 2 · answered Nov 18 '16 at 18:06

Wireshark by default, shows relative sequence numbers for TCP packets. (I.e., sequence numbers relative to the actual sequence number used at the start of the TCP connection). This makes it easier to view/use the sequence numbers.

There's a preference under the TCP protocol in Wireshark to show TCP absolute sequence numbers (those actually used in the TCP packets).

Once you configure Wirehark to show absolute TCP sequence numbers, I expect they'll match the values you are getting with your code.

Exercise for the reader: why doesn't each TCP connection start with actual sequence number 1 ? :) :)

jNetPcap acknowledgement value

2 Answers2