Meaning ofsequence number (raw) in wireshark

Question

I'm confused about the meaning of the "sequence number (raw)" in wireshark when I capture the first SYN package. What is the difference between the "sequence number (relative)" and "sequence number (raw)"?

printscreen in wireshark

Answer 1

The raw sequence number is the actual value assigned on the packet.

WireShark groups TCP sessions and assigns them relative sequence (and acknowledgment) numbers which start from 0 (and incrementing by 1 as it seems, for each subsequent packet) so the user can identify the sequence of events.

According to the corresponding wiki page:

By default Wireshark and TShark will keep track of all TCP sessions and convert all Sequence Numbers (SEQ numbers) and Acknowledge Numbers (ACK Numbers) into relative numbers. This means that instead of displaying the real/absolute SEQ and ACK numbers in the display, Wireshark will display a SEQ and ACK number relative to the first seen segment for that conversation.

That wiki page also includes instructions on how to enable/disable this feature.

To get to that wiki page you can follow some paths including the following:

1. WireShark home wiki page -> Use WireShark / TShark -> Preferences -> Protcols -> TCP -> TCP_Relative_Sequence_Numbers.
2. WireShark home wiki page -> References -> PortReference: TCP -> Transmission Control Protocol -> Preference Settings -> TCP_Relative_Sequence_Numbers and TCP Window Scaling.

See also:

1. How can I get the actual TCP sequence number in Wireshark?
2. TCP: How are the seq / ack numbers generated? (which led me to TCP's RFC 793, page 27).