There is something I don't understand in the TCP protocol. If i do the following, just a simple tcp connection, captured with tcpdump:
22:29:20.185032 IP 172.10.10.11.43086 > 172.10.10.21.http: Flags [S], seq 2173271328, win 29200, options [mss 1460,sackOK,TS val 3615590 ecr 0,nop,wscale 7], length 0
22:29:20.185090 IP 172.10.10.21.http > 172.10.10.11.43086: Flags [S.], seq 3246536796, ack 2173271329, win 28960, options [mss 1460,sackOK,TS val 3598763 ecr 3615590,nop,wscale 6], length 0
22:29:20.186088 IP 172.10.10.11.43086 > 172.10.10.21.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 3615590 ecr 3598763], length 0
Why is the last ack at 1? SHouldn't it be at (3246536796+1)?
It actually is 3246536797. TCPDump supports the -S option to use absolute rather than relative numbers. You can verify this by using the -x or -X option to see the raw packet data.
The default is to use relative numbers in the display so that it is easier to see how many bytes have transferred between the two nodes. In this configuration, after TCPDump has identified the two hosts and the sequence numbers, it begins showing only offsets rather than the absolute number in the header.