Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

This definitely looks like a bug to me. For some reason, the TCP sequence number is being added to the tree if the TCP header is being dissected from within an ICMP packet, as is the case here. However, the TCP dissector then adds it again anyway, so you end up with two of them as you see here.

From packet-tcp.c:

6019         /*  If we're dissecting the headers of a TCP packet in an ICMP packet
6020          *  then go ahead and put the sequence numbers in the tree now (because
6021          *  they won't be put in later because the ICMP packet only contains up
6022          *  to the sequence number).
6023          *  We should only need to do this for IPv4 since IPv6 will hopefully
6024          *  carry enough TCP payload for this dissector to put the sequence
6025          *  numbers in via the regular code path.
6026          */
6027         {
6028             wmem_list_frame_t *frame;
6029             frame = wmem_list_frame_prev(wmem_list_tail(pinfo->layers));
6030             if (proto_ip == (gint) GPOINTER_TO_UINT(wmem_list_frame_data(frame))) {
6031                 frame = wmem_list_frame_prev(frame);
6032                 if (proto_icmp == (gint) GPOINTER_TO_UINT(wmem_list_frame_data(frame))) {
6033                     proto_tree_add_item(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, ENC_BIG_ENDIAN);
6034                 }
6035             }
6036         }
6037     }

… then later on:

6235     if(tcp_relative_seq) {
6236         proto_tree_add_uint_format_value(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, tcph->th_seq, "%u    (relative sequence number)", tcph->th_seq);
6237     } else {
6238         proto_tree_add_uint(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, tcph->th_seq);
6239     }

I would recommend filing a Wireshark bug report for this. There's only a single TCP sequence number field present so there should only be one instance of the field added to the tree, regardless of whether the TCP header is carried in an ICMP packet or not. Well, at least that's my assessment. Maybe there's a good reason for this, but I can't think of one.