Show and and a filter to non-zero ACK numbers and URG pointers whenever their respective flags are not set. As discussed at Sharkfest with Laura Chappell (OK Laura, go ahead and create some more butt-ugly filters now!).

git-svn-id: http://anonsvn.wireshark.org/wireshark/trunk@37721 f5534014-38df-0310-8fa8-9805f1628bb7

1 files changed, 24 insertions, 5 deletions

diff --git a/epan/dissectors/packet-tcp.c b/epan/dissectors/packet-tcp.c
index 58bbb5acd4..d9f2c11cf4 100644
--- a/epan/dissectors/packet-tcp.c
+++ b/epan/dissectors/packet-tcp.c
@@ -3608,6 +3608,7 @@ dissect_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
 {
     guint8  th_off_x2; /* combines th_off and th_x2 */
     guint16 th_sum;
+    guint32 ack;
     guint16 th_urp;
     proto_tree *tcp_tree = NULL, *field_tree = NULL;
     proto_item *ti = NULL, *tf, *hidden_item;
@@ -3868,18 +3869,25 @@ dissect_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
                 PROTO_ITEM_SET_GENERATED(tf);
             }
         }
+
         if (tcph->th_flags & TH_ACK) {
-            if(tcp_relative_seq){
+            if (tcp_relative_seq){
                 proto_tree_add_uint_format(tcp_tree, hf_tcp_ack, tvb, offset + 8, 4, tcph->th_ack, "Acknowledgement number: %u    (relative ack number)", tcph->th_ack);
             } else {
                 proto_tree_add_uint(tcp_tree, hf_tcp_ack, tvb, offset + 8, 4, tcph->th_ack);
             }
         } else {
             /* Verify that the ACK field is zero */
-            if(tvb_get_ntohl(tvb, offset+8) != 0){
-                proto_tree_add_text(tcp_tree, tvb, offset+8, 4,"Acknowledgement number: Broken TCP. The acknowledge field is nonzero while the ACK flag is not set");
+            ack = tvb_get_ntohl(tvb, offset+8);
+            if (ack != 0){
+                item = proto_tree_add_uint_format(tcp_tree, hf_tcp_ack, tvb, offset + 8, 4, ack,
+                           "Acknowledgement Number: 0x%08x [should be 0x00000000 because ACK flag is not set]",
+                           ack);
+                expert_add_info_format(pinfo, item, PI_PROTOCOL, PI_WARN,
+                    "Acknowledgement number: Broken TCP. The acknowledge field is nonzero while the ACK flag is not set");
             }
         }
+
         proto_tree_add_uint_format(tcp_tree, hf_tcp_hdr_len, tvb, offset + 12, 1, tcph->th_hlen,
                                    "Header length: %u bytes", tcph->th_hlen);
         tf = proto_tree_add_uint_format(tcp_tree, hf_tcp_flags, tvb, offset + 12, 2,
@@ -4105,8 +4113,8 @@ dissect_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
         }
     }
 
+    th_urp = tvb_get_ntohs(tvb, offset + 18);
     if (tcph->th_flags & TH_URG) {
-        th_urp = tvb_get_ntohs(tvb, offset + 18);
         /* Export the urgent pointer, for the benefit of protocols such as
            rlogin. */
         tcpinfo.urgent = TRUE;
@@ -4114,8 +4122,19 @@ dissect_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
         col_append_fstr(pinfo->cinfo, COL_INFO, " Urg=%u", th_urp);
         if (tcp_tree != NULL)
             proto_tree_add_uint(tcp_tree, hf_tcp_urgent_pointer, tvb, offset + 18, 2, th_urp);
-    } else
+    } else {
         tcpinfo.urgent = FALSE;
+        if (th_urp) {
+            if (tcp_tree != NULL) {
+                item = proto_tree_add_uint_format(tcp_tree, hf_tcp_urgent_pointer, tvb, offset + 18, 2, th_urp,
+                                                  "Urgent Pointer: 0x%04x [should be 0x0000 because URG flag is not set]",
+                                                  th_urp);
+                expert_add_info_format(pinfo, item, PI_PROTOCOL, PI_WARN,
+                    "Urgent Pointer: Broken TCP. The urgent pointer field is nonzero while the URG flag is not set");
+            }
+        }
+    }
+
 
     if (tcph->th_have_seglen) {
         col_append_fstr(pinfo->cinfo, COL_INFO, " Len=%u", tcph->th_seglen);