While observing network traffic in wireshark, i see that wireshark reassembles packets like:
[Reassembled TCP Segments (4233 bytes): #1279(2133), #1278(2100)]
Packet #1278: blahblah, Seq: 1538, Ack:3074, Len: 2133
Packet #1279: blahblah, Seq: 2998, Ack:3074, Len: 2100
(lengths are fictional values)
Im looking to reassemble tcp packets that i receive through sharppcap
Does wireshark use Ack to know what segments belong to each other?
What is the Seq value refer to?
If not, how does it reassemble them?
SEQ values are counted in bytes, so if you receive a 100 byte segment with
SEQ == 5, you know the next segment in the sequence will have aSEQ == 105.The ACK indicates the next SEQ value that the sender expects to see from its peer. So the only reason you’re seeing the same ACK value in multiple packets is because only one side is transmitting. By keeping the ACK the same, With each transmission, the host is basically saying it hasn’t received anything new.