ACK/URG anomaly

["Gisle Vanem" <gvanem () yahoo no>]

While using the a 'nmap -sT -O' command to my Linux router (10.0.0.1), I see
nmap fails to set ACK/URG flags in some cases where those ACK/URG
fields are non-zero. Commands I used was:
 tcpdump -w nmap.pcap port 53 or port 22   << ! in another shell or background
 nmap -sT -O -p53,22 router
 tshark -Vr nmap.pcap | grep "The urgent pointer field is nonzero"

Details: when the ACK or URG tcp-header field is non-zero, the ACK or URG
flags should also be set. I haven't looked at other flags. From the Wireshark Expert
info when analyzing the nmap.pcap-file:
   [The acknowledgment number field is nonzero while the ACK flag is not set]
   [The urgent pointer field is nonzero while the URG flag is not set]

Is this working-as-designed? Otherwise it should be made clear in the code+docs 
somewhere (Xmas scan exempted?). AFAICS it isn't. So I assume
libnetutil/TCPheader.cc is to blame here. But I fail to see how.

I've ran the above commands on Win-XP SP3 (MSVC compiled nmap). Can 
anybody confirm this on Windows or elsewhere? 

Attached is nmap.pcap from above windump session.

--gv

Attachment: nmap.pcap
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/