Wireshark added the TCP conversation completeness measurement to identify elements contained in captured TCP conversations. In this post, I want to show you what this feature is based on and how to set up Wireshark to use this new TCP Conversation Completeness feature.
Upon what elements is TCP completeness based? Let's look at the image below.
Wireshark assigns a value to each of the following packet types:
32 : RST
16 : FIN
8 : DATA
4 : ACK
2 : SYN-ACK
1 : SYN
If Wireshark captures only the SYN and SYN-ACK of a TCP conversation, it will assign a TCP completeness value of 3 to each packet (1 for the SYN and 2 for the SYN-ACK) and put the value ----SS in the Completeness Flags field. All packets of the same conversation contain the same TCP completeness value.
Download the following trace file and open it in Wireshark.
TRACE FILE: tcp-dass.pcapng
Expand any TCP header in the Packet Details pane. Click and drag the following fields up to the Packet List pane to add them as columns:
Stream index
Conversation completeness
Completeness Flags
You can see the number 15 in the Conversation completeness column. The Completeness Flags are calculated as follows:
8 : DATA
4 : ACK
2 : SYN-ACK
1 : SYN
15
Unfortunately, a change in Wireshark v4 can cause issues when working with these fields. If you find you can't sort your new columns, you might be hitting the same issue.
Go check out my blog on the new Cached Rows setting. Ugh.
Enjoy! (Except for the Cached Rows setting.)