I'm trying to understand how the sequence numbers of the TCP header are generated.
In some places I read that it is the "index of the first byte in the packet" (link here), on some other sites it is a random 32bit generated number that is then incremented.
I don't really know which is which, so here are some questions:
- How is the initial sequence number generated? (Please provide an RFC number if there is one)
- How is it incremented?
- How is the secret key generated?
I read some of the RFCs like RFC 6528, RFC 793, and RFC 1948 but I can't seem to understand which one is actually implemented.
I read about the "std" status but still...
Thank you in advance!
Each endpoint of a TCP connection establishes a starting sequence number for packets it sends, and sends this number in the SYN packet that it sends as part of establishing a connection.
There is no requirement for either end to follow a particular procedure in choosing the starting sequence number. The operating system is free to use any mechanism it likes, but generally it's best if it chooses a random number, as this is more secure.
From that starting point, each packet sent by either end contains two sequence numbers - one to specify where in the stream the packet is, and an ACK sequence number which signifies the number of bytes received. Both numbers are offset by the starting sequence number.
Read all about it in Wikipedia of course - look for "sequence number" in that page to get all the gory details.
In 4.4BSD (and most Berkeley-derived implementations) when the system is initialized the initial send sequence number is initialized to 1. This practice violates the Host Requirements RFC. (A comment in the code acknowledges that this is wrong.) This variable is then incremented by 64,000 every half-second, and will cycle back to 0 about every 9.5 hours. (This corresponds to a counter that is incremented every 8 microseconds, not every 4 microseconds.) Additionally, each time a connection is established, this variable is incremented by 64,000.
It's a random number between 0 and 4,294,967,295. But in wireshark tool you can see syn as 0 (because it uses relative display) however you can make it to show original seq number by doing Edit -> Preferences. and un-checking relative sequence numbers and window scaling under TCP protocol preferences. The next Sequence number would get increment based on the ACK number (a) that is received (becomes a + 1). ACK get increased based on the payload len (l) that it received (becomes l + 1). Note no data/payload is sent during SYN/FIN flag being active (does making the ACK increment by only one during SYN and FIN).
来源:https://stackoverflow.com/questions/10452855/tcp-sequence-number