Understanding TCP Conversation Completeness in Wireshark

background

The latest release of Wireshark 3.6.0 introduces a significant enhancement: the ability to analyze TCP conversation completeness. This new feature allows users to filter TCP streams based on various session elements, such as opening and closing handshakes and data payloads, using the tcp.completeness filter. By leveraging this functionality, network analysts can better evaluate TCP session integrity and troubleshoot issues more effectively.

Introduction to TCP Conversation Completeness

What is TCP Conversation Completeness? TCP Conversation Completeness, in theory, a complete TCP session should include both the most commonly understood opening handshake and closing handshake, and does not depend on whether there is or is no data transmission.

However, considering that most actual TCP session scenarios contain more data to be like a complete session, the following tcp.completeness field can be used to construct the session filter value:

  • 1: SYN
  • 2 : SYN-ACK
  • 4 : ACK
  • 8 : DATA
  • 16: END
  • 32 : RST

The above field values ​​can be flexibly combined to form different TCP session integrity display filter expressions.

Analyzing TCP Sessions Using Completeness Criteria

TCP three-way handshake

For example, if you want to filter out a session in a packet file that contains only the standard TCP three-way handshake, you can use this expression 'tcp.completeness==7' because 1 (SYN) + 2 (SYN/ACK) + 4 (ACK) = 7.

Display in the packet detail view

Understanding TCP Conversation Completeness in Wireshark

It is important to note that this TCP Steam 90 only has TCP three-way handshake packets, which can be filtered again for tcp.stream verification.

Therefore, if a TCP stream contains any data packets other than the TCP three-way handshake, the expression 'tcp.completeness==7' will not take effect, that is, the TCP stream cannot be filtered out.

Let’s take an example of a complete TCP flow in advance. This TCP flow includes TCP three-way handshake, data, and TCP four-way handshake complete data packets.

However, applying expressions 'tcp.completeness==7' cannot filter out any data packets.

A previous article I wrote, “Quick Display Filtering of TCP Three-Way Handshake”, has a different focus than the new version of TCP integrity session filtering. The previous article is more about solving the filtering problem of the third ACK in the TCP three-way handshake.

TCP four-way handshake

Similarly, if you want to filter out a session in the data file that contains only the standard TCP four-wave handshake, you can use this expression 'tcp.completeness==20' because 4 (ACK) + 16 (FIN) = 20.

Display in the packet detail view

It is also important to note why an expression is used here 'tcp.completeness==20'instead of an expression 'tcp.completeness==16'. This is also the difference between the theory and practice in the standard TCP four-wave handshake. Students who are interested can think divergently.

TCP RST close handshake

In the TCP session, the connection can be closed by FIN or RST. A simple example of connecting to an unopened port on the other end is as follows

Again the expression used here is 'tcp.completeness==37' , 1 (SYN) + 4 (ACK) + 32 (RST) = 37.

TCP Full Session

Finally, back to the real TCP session case, a complete session with data transmission will be filtered by a more combined expression. Considering that the closing of the connection can be associated with a FIN or RST packet, or even both, the most complete filter expression is:

Considering the convenience of demonstration, the following are simple examples of three expressions respectively. ​

The most standard TCP complete session is , 'tcp.completeness==31'because 1 (SYN) + 2 (SYN/ACK) + 4 (ACK) + 8 (DATA) + 16 (FIN) = 31.

The complete TCP session that closes the connection with RST is 'tcp.completeness==47'47 because 1 (SYN) + 2 (SYN/ACK) + 4 (ACK) + 8 (DATA) + 32 (RST) = 47.

A complete TCP session with simultaneous FIN + RST, 'tcp.completeness==63'because 1 (SYN) + 2 (SYN/ACK) + 4 (ACK) + 8 (DATA) + 16 (FIN)+ 32 (RST)= 63.

Summary of TCP Completeness Filtering

In summary, TCP session integrity policy checking greatly facilitates the analysis and processing of TCP flows and is a good technique for troubleshooting.