How can I get the actual TCP sequence number in Wireshark?

Solution 1

As per the official Wireshark wiki page:

By default Wireshark and TShark will keep track of all TCP sessions and convert all Sequence Numbers (SEQ numbers) and Acknowledge Numbers (ACK Numbers) into relative numbers. This means that instead of displaying the real/absolute SEQ and ACK numbers in the display, Wireshark will display a SEQ and ACK number relative to the first seen segment for that conversation.

But as explained on that same page, this can be adjusted as follows:

To disable relative sequence numbers and instead display them as the real absolute numbers, go to the TCP preferences and untick the box for relative sequence numbers.

Solution 2

If you require specific directions on where exactly to find the option in Wireshark, like I did, you can can find them at:

Edit > Preferences > Protocols > TCP

Uncheck the option: "Relative sequence numbers"

NB: I'm using Wireshark 2 and haven't checked if it's the same on other versions of Wireshark. (Chances are that it should be in the same place).

Related videos on Youtube

14 : 28

TCP Sequence and Acknowledgment Numbers

Derpy Networking

113

06 : 25

How TCP Works - Sequence Numbers

Chris Greer

89

16 : 35

How to Do TCP Sequence Number Analysis

PacketBomb

43

02 : 05

How can I get the actual TCP sequence number in Wireshark? (2 Solutions!!)

Roel Van de Paar

15

16 : 40

How TCP Sequence Numbers Work - TCP Deep Dive // Hands-On Case Study

Chris Greer

13

Author by

user2018084

Updated on September 18, 2022