If the URG flag is set to zero, then the urgent pointer field is disabled. In that case, why is the value of the urgent pointer field not displayed in Wireshark?
asked 13 Aug '13, 14:19
edited 13 Aug '13, 14:37
The urgent pointer field is only meaningful if the URG flag is set; otherwise the two bytes are essentially meaningless.
If Wireshark were to display those 2 bytes as if there were an actual urgent pointer even though the URG flag was not set, then potentially packets that should not match a particular display filter would be incorrectly displayed. For example, suppose you are interested in all packets containing an urgent pointer set to some specific value, say 0x1234, then you might use the following display filter to isolate them:
If there happened to be TCP packets with the URG flag cleared yet the bytes where the urgent pointer would be represented happened to contain those same values, then the packet would incorrectly match the filter.
Interestingly, Wireshark currently does display the tcp.urgent_pointer field, even if the URG Flag isn't set, if the value of the tcp.urgent_pointer is non-zero. An expert info warning is even reported in such cases indicating, "Broken TCP. The urgent pointer field is nonzero while the URG flag is not set". Apparently this was done with the understanding that this field should be zero when the URG flag isn't set, but as Guy Harris noted in the earlier discussion, there actually doesn't appear to be any requirement for the urgent pointer field to be zero when the URG flag is not set.
We might consider removing that expert info warning, or at least changing it from a warning to a note with different wording, in particular removing the "Broken TCP" portion of the message.
answered 13 Aug '13, 15:09
edited 13 Aug '13, 15:12