 | 1 | initial version |
This definitely looks like a bug to me. For some reason, the TCP sequence number is being added to the tree if the TCP header is being dissected from within an ICMP packet, as is the case here. However, the TCP dissector then adds it again anyway, so you end up with two of them as you see here.
From packet-tcp.c:
6019 /* If we're dissecting the headers of a TCP packet in an ICMP packet
6020 * then go ahead and put the sequence numbers in the tree now (because
6021 * they won't be put in later because the ICMP packet only contains up
6022 * to the sequence number).
6023 * We should only need to do this for IPv4 since IPv6 will hopefully
6024 * carry enough TCP payload for this dissector to put the sequence
6025 * numbers in via the regular code path.
6026 */
6027 {
6028 wmem_list_frame_t *frame;
6029 frame = wmem_list_frame_prev(wmem_list_tail(pinfo->layers));
6030 if (proto_ip == (gint) GPOINTER_TO_UINT(wmem_list_frame_data(frame))) {
6031 frame = wmem_list_frame_prev(frame);
6032 if (proto_icmp == (gint) GPOINTER_TO_UINT(wmem_list_frame_data(frame))) {
6033 proto_tree_add_item(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, ENC_BIG_ENDIAN);
6034 }
6035 }
6036 }
6037 }
… then later on:
6235 if(tcp_relative_seq) {
6236 proto_tree_add_uint_format_value(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, tcph->th_seq, "%u (relative sequence number)", tcph->th_seq);
6237 } else {
6238 proto_tree_add_uint(tcp_tree, hf_tcp_seq, tvb, offset + 4, 4, tcph->th_seq);
6239 }
I would recommend filing a Wireshark bug report for this. There's only a single TCP sequence number field present so there should only be one instance of the field added to the tree, regardless of whether the TCP header is carried in an ICMP packet or not. Well, at least that's my assessment. Maybe there's a good reason for this, but I can't think of one.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.