A method for real time monitoring of at least one TCP flow involves monitoring TCP packets flowing past a particular point in a TCP network. A flow trace including at least source and destination addresses for each TCP packet is determined and a packet record for each monitored TCP packet within a determined flow trace is created. Each of the packet records includes at least a transmitted order number and an actual received sequence number, from which an expected received sequence number for each packet record is determined and stored in the packet record. The difference between the expected received sequence number for each packet record and the expected received sequence number for the previous packet record is used to thereby determine by how much a particular packet was moved out of sequence.