top of page
  • Writer's pictureLaura Chappell

Using Wireshark's TCP Conversation Completeness

Wireshark added the TCP conversation completeness measurement to identify elements contained in captured TCP conversations. In this post, I want to show you what this feature is based on and how to set up Wireshark to use this new TCP Conversation Completeness feature.


Upon what elements is TCP completeness based? Let's look at the image below.


TCP packet types

Wireshark assigns a value to each of the following packet types:

32 : RST

16 : FIN

8 : DATA

4 : ACK

2 : SYN-ACK

1 : SYN


If Wireshark captures only the SYN and SYN-ACK of a TCP conversation, it will assign a TCP completeness value of 3 to each packet (1 for the SYN and 2 for the SYN-ACK) and put the value ----SS in the Completeness Flags field. All packets of the same conversation contain the same TCP completeness value.


Title - Try This

Download the following trace file and open it in Wireshark.

TRACE FILE: tcp-dass.pcapng

Expand any TCP header in the Packet Details pane. Click and drag the following fields up to the Packet List pane to add them as columns:

Stream index

Conversation completeness

Completeness Flags


Wireshark Packet List Pane with Extra Columns Added

You can see the number 15 in the Conversation completeness column. The Completeness Flags are calculated as follows:

8 : DATA

4 : ACK

2 : SYN-ACK

1 : SYN

15


The file name, tcp-dass.pcapng, was assigned based on the TCP Conversation Flags value.


Text - Not so fast

Unfortunately, a change in Wireshark v4 can cause issues when working with these fields. If you find you can't sort your new columns, you might be hitting the same issue.


Go check out my blog on the new Cached Rows setting. Ugh.


Enjoy! (Except for the Cached Rows setting.)








Comentarios


bottom of page