Just to confirm:

1) in the default output, the number in parentheses is the the packet size? If so, does this include headers (tcp, ip, http, etc..)?

2) the sequence numbers are actually translated from original to reflect this?

from the manual:

"On subsequent packets of the conversation, the difference betweenthe current packet’s sequence number and this initial sequence number is printed. This means that sequence numbers after the first can be interpreted as relative byte positions in the conversation’s data stream (with the first data byte each direction being ‘1’).

Yes, the number is the *packet* size, ie. IP and up. if you an an -e to the command you get the layer 2 data too, which then includes the *frame* size, ie.. ethernet and up.

and tcpdump won't cahnge a sequence number. it won't change any data at all, otherwise it'd be a useless tool...