Tracking sequence numbers and flags in Wireshark

Phil Morgan • August 15, 2017

Tracking sequence numbers and flags in Wireshark

One of the things I learned a while back was a really good tip when using Wireshark. I find people sometimes get tied up tracking the sequence numbers and the wireless frame flags in Wireshark.

Having to open the frames and look for flags and following sequence numbers can be quite complex and time consuming.

Here’s a Wireshark Tip

Here is a little tip I learned, which seems so obvious once someone tells you…

When viewing the frames in Wireshark, the “Info” column can be very informative. It shows the type of frame, and the sequence number (SN). It also shows the SSID name, the Beacon Interval (BI) and also the Flags from the wireless frame header.

One exception to this standard “info” field display is, if you have data that is not encrypted, Wireshark may start to show you the TCP/UDP or HTTP information in the “info” field, then you do have to go and dig, and look inside the frame to see the flag details. Basically, on an unencrypted Wireless network, or if you have entered the PSK intentionally so as you can decrypt packets, this may display actual packet data, not “useful wifi info”.

If we take a look in Diagram 1 below, you will see the Flags are listed underneath the “Flags” section within the “Frame Control Field”. You can also find a summary right next to the “IEEE 802.11 Beacon Frame” section (in fact whatever the type of frame you are viewing, the flags are summarized next to this section). A feature that often goes unnoticed, they are also summarized in the top right section of the Wireshark Frames display, within the “info” field.

 

DIAGRAM 1

 

When the flags are shown next to the “IEEE 802.11 Frame” field (where represents the type of frame shown) or when show within the “info” column, the frame flags are listed using the following format: xxxxxxxxC, where the x’s represent characters that are displayed. The format is displayed as a mix of eight letters followed by an uppercase “C”. If a given flag is not set, it is represented as a period. As you can see in Diagram 1, none of the flags are set, and so the flag field will be represented as eight periods followed by an uppercase “C”.

The eight flags are shown as the following letters in this order: opmPRMFTC

o is the Order bit
p is the protected bit
m is the More Data bit
P is Power Management
R is Retry
M is More Fragments
F is FromDS
T is ToDS

That’s the eight flags!

Well, what’s the “C” then, I hear you ask.

A lot of people misunderstand this, and mis-name this uppercase “C”.

The “C” is there as long as the frame did not fail its CRC check. Now please note this is not the same as the frame passing its CRC check. If for whatever reason the CRC is not present (maybe because you only captured a small segment of the frame e.g. 128B, or you didn’t capture FCS’), Wireshark represents this with an uppercase “C”. This happens whether the frame is corrupt or not and can be quite confusing. So, watch out for that one!

2025 Update...

We talk about this, more, in our AMA series webinars:

https://www.youtube.com/watch?v=TM70jXEsFsk


That’s it for this month. See you next time.

If you are looking to make your mark in the IT Industry, then NC-Expert offers excellent training courses aimed at relevant IT industry certifications – contact us today to get started.

NC-Expert Blog

The Importance of Using a VPN

By Rie Vainstein March 31, 2025
A Digital Shield for Your Online Adventures As tech professionals, we often spend a good chunk of our lives navigating the digital realm. Whether you’re troubleshooting a network, coding a new app, or just binge-watching the latest series, one thing is clear: your connection to the internet is a double-edged sword. It’s both incredibly convenient and, if not properly secured, a potential vulnerability. Enter the VPN (Virtual Private Network) our trusty, digital bodyguard. If you’re not already using one, or if you’re not entirely sure why you should, let’s walk through some of the reasons why a VPN is essential for anyone working in IT and, frankly, for anyone who uses the internet. What Is a VPN? In simple terms, a VPN creates a secure, encrypted tunnel between your device and the internet. It allows your data to travel securely, masking your IP address, and ensuring that no one (be it hackers or nosy advertisers) can track or intercept your online activity. Think of it as your personal “cloak of invisibility” in the digital world! 

Troubleshooting Wireless Networks with Ekahau

By Phil Morgan March 13, 2025
Troubleshooting Wireless Networks with Ekahau: A Professional Engineer’s Guide Wireless networks have become the backbone of modern business infrastructure. From office environments to large-scale enterprises, ensuring a seamless wireless experience is essential for productivity. However, despite advancements in Wi-Fi technology, network performance issues often arise, ranging from signal interference and dead zones to capacity overloads and channel mismanagement. To tackle these issues efficiently, professional engineers rely on powerful tools. One such tool, Ekahau AI Pro, has become a gold standard in the wireless industry for troubleshooting and optimizing Wi-Fi networks. This blog delves into troubleshooting wireless networks using Ekahau tools, providing practical examples and technical insights to guide professional engineers in improving network performance.

Post-Quantum Cryptography: The Future of Digital Security?

By Rie Vainstein March 3, 2025
Futureproofing Our Security In our increasingly connected world, the security of digital information has never been more critical. From banking transactions to private communications, our data is constantly transmitted and stored across the internet. The current systems that protect this data rely on cryptography, a branch of mathematics that helps keep information secure by encoding it in ways that are difficult to decode without the proper key. However, with the rise of quantum computers, traditional cryptography is facing new and significant threats. This is where Post-Quantum Cryptography comes into play. What is Post-Quantum Cryptography? Post-Quantum Cryptography (PQC) [1] refers to cryptographic algorithms that are specifically designed to be secure against the power of quantum computers. Quantum computers, once they become practical, will be capable of solving complex mathematical problems much faster than classical computers. This will render many of the encryption methods we rely on today [such as RSA (Rivest, Shamir, and Adleman – initials of the inventors) and ECC (Elliptic Curve Cryptography)] vulnerable to attack. Quantum computers operate on quantum bits, or “qubits”, which can exist in multiple states simultaneously, unlike classical bits that are either a zer (0) or one (1). This allows quantum computers to perform certain calculations exponentially faster than classical computers. For example, in a matter of seconds, a quantum computer could potentially break an RSA key, which is considered secure by today’s standards. As quantum computing technology advances, the need for PQC becomes even more urgent.