Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] 1.7.1 bug? tcp.flags == 0x8c2

From: Christopher Maynard <Christopher.Maynard@xxxxxxxxx>
Date: Fri, 10 Feb 2012 03:52:08 +0000 (UTC)
Lanell Allen <blanellallen@...> writes:

> [SYN, ECN, CWR]
> 
> The "tcp.flags == 0x8c2" filter
> crashes on v. 1.7. Stays "pink" with the error message "invalid
> filter" / "too big", etc.
> Works fine on 1.6.1 and 1.6.4Lanell Allen, WCNA

Well first off, that filter is incorrect if you're trying to match packets with
only the SYN, ECN and CWR bits set.  The only way it would work is if the
high-order bit of the 3-bit reserved field also happens to be set, which I
doubt.  In your case, I think the proper filter should be: "tcp.flags == 0x0c2".

That aside, since the nonce and reserved bits were added to the TCP flags in
r34084, the tcp.flags field now encompasses 12-bits instead of only 8-bits as it
did previously.  Because of this the field type should have been changed from an
FT_UINT8 to an FT_UINT16 in order to be able to specify all the values in its
new range.

I checked in a fix to that problem in r40949 and scheduled it (along with
r37856) to be back-ported to 1.6.6 and 1.4.12.

- Chris