Go into the Preference menu and opening up the Protocols where you’ll find the known protocols that Wireshark decodes, see Figure 1:1. Move to the TCP and there’s the option to turn on “Analysis TCP sequence numbers”. In Figure 1:2 you see the results in packet with the sequence number changes from 1486019313 to 1.
When a TCP session is established, indicated with the SYN, SYN ACK, ACK packets, the first TCP packet contains both the common port and the ephemeral port, “meaning short lived” and sequence number. There are also Flags, Window Size, checksum and options, and we’ll review those in the future. TCP uses the sequence and acknowledgment numbers to track the receipt of data bytes. It’s a random number for the purpose to reduce the predictability of the next TCP connection’s sequence number.
So in Figure 1:1 in packet 3 the initial sequence number is 1486019312 the corresponding ACK the response in packet 4 is Seq=1486019313. Wireshark has created an easier way reducing the initial sequence number to ZERO. It makes is easier to track as you look through the packets in the trace file. In example Figure 1:2 viewing the same ACK and sequence number we see how much easier it is, with the Seq=0 and the Ack=1.
Figure 1:1 Wireshark Edit>Preference>Protocols>TCP (Analysis TCP sequence numbers)
Figure 1:2 Wireshark Edit>Preference>Protocols>TCP (Analysis TCP sequence numbers SELECTED)