Let's go in depth: 2025

Sunday, October 5, 2025

Understanding Wireshark’s TCP Conversation Completeness: What It Really Tells You

Understanding “TCP Conversation Completeness” in Wireshark

A Deep Dive into What It Really Means (and What It Doesn’t)

When analyzing TCP packet captures in Wireshark, you may have noticed a column or field called “TCP Conversation Completeness.” It often shows up as a numerical value — 7, 15, 31, 63, and so on — and many engineers assume it reflects the health of a TCP connection or compliance with RFC 793.

However, that’s not what it is.

TCP Conversation Completeness is a Wireshark-specific analytical feature, not a TCP protocol metric or a network standard. It tells you only what Wireshark observed in the packet trace — not necessarily what happened on the wire end-to-end.

In this article, we’ll break down how Wireshark computes it, what the values mean, how incomplete captures can distort it, and how to correctly interpret it in real-world troubleshooting.

TCP Conversation Completeness” is like Wireshark’s health summary for a TCP connection —
useful for triage, not for truth

This critical TCP-layer metric that can significantly enhance how we validate the health of incoming client connections. The parameter is called “Conversation Completeness”, and while it may sound like a technical jargon, it is a highly effective diagnostic for analyzing connection integrity. This metric helps us categorize TCP conversations into meaningful states, such as:

🔴 Incomplete: Handshake not completed (e.g., SYN sent but no ACK)
🟠 Partial Data: Handshake succeeded, but data exchange was interrupted
🔥 Reset Immediately: Connections rejected abruptly (RST seen)
⏱️ Late SYN-ACK: SYN and SYN-ACK seen, but final ACK from client is missing(Common under high latency, packet loss, or asymmetric routing issues)
⚪ No Data: Clean handshake and closure, but no application data transferred
🟢 With Data: Full connection with data exchanged and properly closed
⚠️ Duplicate Conversations: Multiple flows for the same connection(May indicate monitoring artifacts or NAT reuse)

To assess connection health, we’ve classified traffic into the following TCP health buckets: Healthy TCP % = Sum of all Complete, WITH_DATA codes (31, 47, 63) divided by Total.

🟢 Green (Excellent): ≥ 97.5%, 🟡 Yellow (Good): 90–97.49%, 🟠 Amber (Moderate): 70–89.99%, 🔵 Blue (Below Average): 50–69.99%, 🔴 Red (Poor): < 50%

Observation for Client 6:

TTL = 126: Suggests Windows OS
Window Size = 8192
Window Scale = 8 (resulting in an effective receive window of 2,097,152 bytes)
MSS = 1338
tcp.completeness == 23:

All 1528 connections (initiated every hour) follow the 3-way handshake — SYN → SYN-ACK → ACK — but then terminate immediately with a FIN,ACK without exchanging any application data or TLS handshake.

What Is TCP Conversation Completeness?

TCP Conversation Completeness means that every TCP connection observed in packet capture has a proper beginning, middle, and end according to the TCP finite state machine.

A complete TCP conversation typically consists of:

Three-way handshake — SYN → SYN-ACK → ACK
Data exchange — One or both directions transmit data packets with PSH or ACK
Graceful termination — A full four-way FIN/ACK handshake, ensuring both sides close cleanly

Any deviation — like missing handshakes, abrupt resets, or unacknowledged FINs — indicates incomplete conversation(s).

Type	Description	Example Frames (Wireshark)	Remarks
Complete Conversation	Full SYN, data exchange, and 4-way FIN/ACK closure observed	SYN → SYN-ACK → ACK → [Data] → FIN → ACK → FIN → ACK	Ideal, healthy connection
Incomplete (Reset)	Connection aborted using `RST` instead of `FIN`	SYN → SYN-ACK → ACK → [Data] → RST	Application error or abrupt termination
Incomplete (Unidirectional FIN)	One side closes, the other doesn’t	SYN → SYN-ACK → ACK → [Data] → FIN → ACK (missing other FIN)	Peer-side timeout or closure mismatch
Handshake Incomplete	SYN sent but never acknowledged	SYN (no SYN-ACK)	Port closed, firewall drop, or routing issue
Midstream Reset	Data exchange occurs, then abrupt RST	SYN → SYN-ACK → ACK → [Data] → RST	Common during protocol mismatch, timeout, or app crash

Wireshark tracks the lifecycle of each TCP connection based on the flags it sees during capture:

TCP Event	Description
`SYN`	Connection initiation by client
`SYN, ACK`	Server acknowledgment
`ACK`	Final step of 3-way handshake
`DATA`	Application payload transfer
`FIN`	Graceful close request
`RST`	Abrupt termination

Wireshark uses these observed events to compute a bitmask value, stored in the field tcp.completeness.

Each bit in this field corresponds to a stage of the TCP conversation. The combination of bits forms a numeric “completeness score” that Wireshark can display as a value or text label.

📊 Why TCP Completeness Matters

Even when application logs show “Transaction Approved”, incomplete TCP flows can reveal deep network or system issues:

Impact Area	Example Scenario	Hidden Symptom
Load Balancer or Firewall	Connection reset due to idle timeout	App sees random disconnections
Server Configuration	Keep-alive disabled or FIN ignored	Half-open sockets pile up
Client Behavior	App abruptly closes sockets	Server stuck in `LAST_ACK`
TLS Handshake	Client aborts mid-handshake	SSL failure without clear error
Retransmission Storms	MSS or window scaling mismatch	Spikes in latency or CPU load

🧠 Anatomy of a Complete vs. Incomplete TCP Conversation

Type	Description	Common Pattern in Wireshark	Health
✅ Complete Conversation	Full handshake, bidirectional data, clean 4-way FIN	SYN → SYN-ACK → ACK → Data → FIN/ACK → FIN/ACK	Healthy
❌ Reset Termination	Connection aborted using RST	SYN → SYN-ACK → ACK → Data → RST	Application crash, firewall reset
⚠️ One-Sided FIN	One side closes, peer never replies	SYN → SYN-ACK → ACK → Data → FIN → ACK (no peer FIN)	Half-open session
⚠️ Handshake Incomplete	No SYN-ACK received	SYN only	Port closed, firewall drop
❌ Midstream Reset	Reset during data exchange	SYN → SYN-ACK → ACK → Data → RST	Timeout, misbehavior, or mismatch

Bitmask Breakdown

Below is a simplified interpretation of how Wireshark defines the TCP Conversation Completeness bitmask:

Decimal	Binary	Meaning	Typical Interpretation
`1`	`000001`	SYN seen	Connection attempt initiated
`3`	`000011`	SYN + SYN-ACK	Two sides initiated handshake
`7`	`000111`	SYN + SYN-ACK + ACK	Full 3-way handshake observed
`15`	`001111`	Handshake + data transfer	Established connection with data
`31`	`011111`	Handshake + data + FIN	Normal close seen (4-way termination)
`63`	`111111`	Handshake + data + FIN + RST	Connection established, data sent, and reset seen

You can view this value in Wireshark using:

Frame → Expand “Transmission Control Protocol” → Field: tcp.completeness

Or create a column by right-clicking and selecting “Apply as Column”.

Important Clarification: This Is a Wireshark Construct

“TCP Conversation Completeness” is not defined in any TCP RFC or OSI layer standard.

It’s a Wireshark-level convenience metric designed to help analysts quickly summarize what parts of the TCP lifecycle were seen in the capture — nothing more.

That means it’s entirely capture-dependent, not network-absolute.

Why It Changes with Incomplete or Asymmetric Captures

If your packet trace is incomplete — due to asymmetric capture, packet drops, or the trace starting/stopping midway — Wireshark’s completeness analysis will change.

Let’s look at some examples:

Example 1: Partial Handshake

If you start the capture after the client has already sent the SYN, Wireshark will only see:

SYN, ACK → ACK

The completeness score will not include the original SYN, so it may show as 3 (incomplete handshake), even though the real network connection is already established.

Example 2: Missing FIN

If you stop the capture before the connection gracefully closes, Wireshark won’t see the FIN packets. The completeness will remain at 15 (handshake + data), even if the TCP connection properly closed afterward.

Example 3: One-Way Capture (Asymmetric Routing)

If your capture is on only one side of the network path (e.g., on the client), you might only see:

SYN → SYN, ACK (missing)

Wireshark can’t infer that the other side replied — so it’ll report a very low completeness, even though the server did respond in reality.

How to Interpret It Correctly

Think of TCP Conversation Completeness as a summary of what Wireshark observed, not a verdict on whether the TCP session succeeded.

Here’s a practical interpretation table:

Completeness	Meaning (in Wireshark)	What It Might Indicate
`1` or `3`	SYN or SYN+ACK only	Connection attempt, no response
`7`	Full handshake, no data	Idle TCP connection
`15`	Handshake + data	Normal session, may be truncated
`31`	Handshake + data + FIN	Graceful closure (4-way handshake complete)
`63`	Includes RST	Connection terminated abruptly

So if you see a 15, it might mean:

Normal session without closure, or
Capture stopped before FIN was sent, or
Server or client didn’t follow graceful termination.

To tell which one applies, inspect the trace context — timestamps, packet directions, and sequence numbers.

Practical Tips for Accurate Completeness Analysis

Tip	Why It Matters
Capture both directions (bi-directional)	Avoid missing SYN/ACK or FIN/ACK packets
Start capture before the SYN	Ensures handshake is included
End capture after FIN/RST	Captures full closure
Avoid SPAN oversubscription	Prevents packet drops
Verify with sequence numbers	Detect missing data beyond completeness bitmask
Use tcp.analysis.flags	To correlate retransmissions, dup ACKs, etc.

Combining Completeness with Application Context

While completeness gives a structural view of the TCP session, pairing it with application-layer visibility (e.g., HTTP, TLS, or custom payloads) helps you understand:

Was data actually exchanged after handshake?
Did the application issue proper FIN?
Did the server or client abort the session?

For example:

tcp.completeness = 31 with HTTP 200 OK → successful web transaction.
tcp.completeness = 63 with TLS Alert: Close Notify → clean TLS closure.
tcp.completeness = 15 with RST at end → likely timeout or forced disconnect.

Limitations and Common Misinterpretations

Misconception	Reality
“Completeness 63 means fully successful connection.”	Not necessarily — it only means all flag types were seen. The session may have ended in RST.
“Low completeness = network failure.”	Could simply be partial capture or unidirectional sniffing.
“It’s part of TCP standard.”	No — it’s internal to Wireshark’s analysis engine.
“You can use completeness to measure success rate.”	Only valid if captures are full and symmetric.

Example Wireshark Display

You can display the completeness column by:

Right-clicking on any TCP packet → Protocol Preferences → Apply as Column.
Adding a custom column with field name: tcp.completeness
Optionally add color filters:

tcp.completeness < 7 → Red (incomplete handshakes)
tcp.completeness >= 15 → Green (active connections)
tcp.completeness >= 31 → Blue (gracefully closed)

Key Takeaways

TCP Conversation Completeness is Wireshark-defined, not TCP-standardized.
It indicates what Wireshark has seen, not what truly happened end-to-end.
It’s most useful when captures are full, symmetric, and continuous.
For meaningful analysis, correlate with timestamps, sequence numbers, and application logs.

📐 Formula: TCP Conversation Completeness

Wireshark’s tcp.completeness field quantifies the health of each TCP conversation using a bitmask formula.

This numerical code describes which TCP events (SYN, ACK, DATA, FIN, RST) were seen in the capture — allowing analysts to instantly classify whether a connection was complete, partial, or aborted.

🧮 The TCP Completeness Bitmask

Each observed TCP event contributes a bit value:

Bit	Name	Field Name	Meaning	String Representation
1	SYN	`tcp.completeness.syn`	SYN packet seen (client initiated connection)	S
2	SYN-ACK	`tcp.completeness.syn-ack`	SYN-ACK seen (server responded)	SA
4	ACK	`tcp.completeness.ack`	ACK seen (client completed handshake)	A
8	DATA	`tcp.completeness.data`	Application data exchanged	D
16	FIN	`tcp.completeness.fin`	Graceful closure attempt	F
32	RST	`tcp.completeness.rst`	Abrupt termination/reset	R

The bitmask sum of these values represents the “conversation signature.” For instance,

63 (1+2+4+8+16+32) → SYN + SYN-ACK + ACK + DATA + FIN + RST → Ideal complete connection

Main Category	Subcode (Bitmask N)	Subtype Description	Meaning
🔴 Incomplete	2	SYN or mid-flow only	Partial connection, handshake not completed
	5 (1 + 4)	SYN + ACK seen, missing ACK or RST	Often blocked or interrupted after handshake
	13 (1 + 4 + 8)	Early close after SYN + ACK + ACK	Connection closed immediately after handshake, likely no app activity
	35 (1 + 2 + 32)	Handshake + data, no closure	Data exchanged but connection was cut mid-way
	37 (5 + 32)	Multiple data packets, no closure	Multiple payloads exchanged, then dropped
	38 (1 + 2 + 4 + 32)	SYN + SYN-ACK + ACK + minimal data, drop	Very short data exchange, abruptly interrupted
	59 (3 + 8 + 16 + 32)	Long flow, unusual closure	Extended exchange but closed in a non-standard or abrupt manner
	62 (2 + 4 + 8 + 16 + 32)	Data + no FIN or RST	Payload sent, but no TCP closure observed
🟠 Incomplete, SYN_SENT	1	SYN seen only	Client sent SYN, no server reply
🟠 Incomplete, CLIENT_ESTABLISHED	3 (1+2)	SYN + SYN-ACK only	Server replied to SYN, client ACK not seen
🟠 Incomplete, ESTABLISHED	7 (1 + 2 + 4)	Full handshake, no data	Connection established, but no traffic exchanged
🟠 Incomplete, DATA	15 (1 + 2 + 4 + 8)	Handshake + some data, no closure	Abrupt interruption after data start
	35 (1 + 2 + 32)	Extended version of above	Same as 15 but more data packets
	37 (1 + 4 + 32)	Repeated mid-stream drops	Slightly longer flows with no closure
🔥 Reset Immediately	17 (1 + 16)	SYN followed by RST	Server forcefully rejected connection
⏱️ Late SYN-ACK	33 (1 + 32)	SYN + SYN-ACK only, delayed ACK	Likely network latency or asymmetric capture
⚪ Complete, NO_DATA	7 (1 + 2 + 4)	Full handshake, no data	Connection opened, no payload sent
	23 (7 + 16)	Full handshake + FIN	Graceful close without application data
	55 (7 + 16 + 32)	Handshake + no payload + RST/FIN	Connection established but closed without sending any data
🟢 Complete, WITH_DATA	31(1 + 2 + 4 + 8 + 16)	Data + one-sided FIN	Clean on one side, the other didn't close
	47(1 + 2 + 4 + 8 + 16 + 16)	Data + RST (Reset)	Connection closed abruptly after data
	63(1 + 2 + 4 + 8 + 16 + 32)	Ideal connection	Handshake, data exchange, and proper closure (FIN/FIN-ACK)
⚠️ Duplicate Conversations	Varies	Tool-specific overlaps	Multiple rows for the same connection due to parsing

Interpreting the Bitmask Formula

General Rule:

TCP_COMPLETENESS = SYN(1) + SYN-ACK(2) + ACK(4) + DATA(8) + FIN(16) + RST(32)

Wireshark displays this as:

tcp.completeness == <numeric_value>
tcp.completeness.str == <symbolic_string>

Example Filters:

Goal	Filter
Show only complete TCP sessions	`tcp.completeness == 63`
Show incomplete or reset sessions	`tcp.completeness < 63`
Show connections without data	`tcp.completeness == 7 or tcp.completeness == 23`
Show abrupt resets	`tcp.completeness & 32`

📊 Practical Use in Wireshark

Go to Statistics → Conversations → TCP
Add the “TCP completeness” column (if not visible)

Each flow will show:
Numeric bitmask (tcp.completeness)
Symbolic representation (tcp.completeness.str)

Example:

Sort by completeness to instantly find failed or truncated sessions.

🧠 Why This Matters for Engineers

The tcp.completeness metric is effectively a conversation fingerprint.
It allows you to:

Rapidly distinguish between graceful, reset, and half-open sessions
Correlate packet traces with app-layer behavior
Quantify TCP health (e.g., “98.9% of TCP sessions reached completeness = 63”)
Detect capture gaps, asymmetric routing, or device-level aborts

Value	Pattern	Meaning
1 (S)	SYN only	Client attempted, no response
7 (S A A)	Full handshake, idle	Connection opened, no data
15 (S A A D)	Handshake + data, incomplete close	Abrupt stop
31 (S A A D F)	Clean on one side	Server/client missing final FIN
63 (S A A D F R)	Full, ideal flow	Handshake + data + proper closure

🧷 Summary

TCP Conversation Completeness Formula = the DNA of a TCP flow.
Each bit tells part of the story — who spoke first, who replied, who sent data, who closed properly, and who dropped abruptly.

When combined with packet-level validation practices, it transforms Wireshark from a diagnostic tool into a quantitative network quality meter.

Best Practices: Packet-Level Validation for Connectivity Changes

To ensure stable and predictable network behavior across all environments, packet-level validation should be integrated into the development, testing, and release lifecycle.

Modern distributed systems rely heavily on healthy TCP/IP connectivity between devices, servers, and services. While application-level transactions may appear “successful,” the underlying network behavior often tells a different story. Subtle issues such as retransmissions, half-closed sockets, or TLS handshake failures can degrade reliability and user experience — even when responses seem fine.

To ensure reliable, predictable, and secure communication, every new device, hardware series, or integration change should undergo packet-level validation as a mandatory best practice during development, testing, and release phases.

Establish a uniform and proactive approach to detect and prevent connectivity issues caused by device, network, or code-level changes.

Why Packet-Level Validation Matters

Transaction approval does not always mean the communication was healthy beneath.
Hidden issues such as retransmissions, duplicate ACKs, or forced TCP resets may signal instability or misconfiguration at the OS, network, or application layer.

Routine packet validation helps detect:

Latency spikes and flow control bottlenecks
Abnormal connection termination (RST or half-close)
TLS/SSL handshake or certificate issues
Network-level loss or reordering

This approach must be applied for both inbound and outbound traffic — ensuring every client-server interaction is genuinely healthy.

1. Mandatory Guidelines for All Releases and Post-Code Changes

All teams are requested to circulate this guidance within their groups and integrate packet-level verification into their development, QA, and release workflows.
This applies to all components — Instore, Host, Infra, and Network.

2. Integrate Short Wireshark Traces in Development/Testing

For any new device, hardware series, or connectivity logic change, capture 2–3 minute Wireshark traces during functional tests.
Validate key behaviors:

TCP lifecycle and conversation completeness
Layer 4 and Layer 7 integrity (retransmissions, duplicate ACKs, Zero Window events)
TLS handshake and HTTP response correctness

3. Include Trace Analysis in Deliverables

Each release should include a 1–2 slide summary or small table highlighting:

Processing times within acceptable thresholds
Any negative/problematic events found in traces
Notes on graceful vs. forceful connection closure

Include this as part of the product delivery checklist.

4. Routine Post-Change Checks

Make trace validation a mandatory step after:

Connectivity-related code changes
Device or network upgrades (router, firewall, load balancer, MPLS/VPN setup)

Recently, a similar exercise has been conducted for all MPLS/VPN clients in coordination with the network team. However, this validation should ideally occur during initial onboarding itself.

5. Continuous Validation for New and Existing Clients

Network or infrastructure changes can directly affect connection lifecycle events. Hence:

Regularly perform trace health checks for both new and existing clients.
Ensure collaboration across product engineering, QA, Infra, and network teams for early detection and prevention of anomalies.

Verify Problematic Network Events

Capture short packet traces (2–3 minutes) during development or functional testing.
Identify and validate all negative/problematic events, including:

TCP: Retransmissions, Fast/Spurious Retransmissions, Duplicate ACKs, Out-of-Order segments, Zero Window / Zero Window Probe / Probe ACK, FIN+RST overlaps, SYN Flood patterns, Previous Segment Not Captured.
TLS/SSL: Fatal or Warning alerts, Handshake failures, Expired/Bad Certificates, Unknown CA.
HTTP: 4xx/5xx error codes (Bad Request, Unauthorized, Forbidden, Not Found, Internal Server Error, Service Unavailable).
ICMP/IP: Destination Unreachable, Time Exceeded, Fragmentation or Duplicate packets.

1️⃣ TCP Layer Issues

Flag / Event	Description	Potential Cause	Severity
RST (Reset)	Unexpected connection termination	Server not listening, firewall drop, abrupt app termination	🔴 Error
TCP Retransmission	Packet resent due to missing ACK	Packet loss, network congestion, faulty hardware	🔴 Error
TCP Fast Retransmission	Retransmit triggered by 3+ duplicate ACKs	Consistent packet loss, network jitter	🟠 Warning
TCP Spurious Retransmission	Packet retransmitted even though original delivered	Network jitter, latency spikes, overly aggressive retransmission timer	🟠 Warning
TCP Duplicate ACK	Receiver repeats ACK for same sequence	Missing packet(s), precursor to retransmission	🟠 Warning
TCP Out-of-Order	Segment arrived outside expected sequence	Reordering due to congestion, multipath routing	🟠 Warning
TCP Zero Window / Probe	Receiver cannot accept more data; probe checks buffer	Receiver overwhelmed (CPU, disk, or slow application)	🟠 Warning
TCP Zero Window Probe ACK	Receiver ACKs probe but window still zero	Receiver buffer still blocked	🟠 Warning
TCP Window Full	Sender cannot send more data due to receiver buffer	Flow control bottleneck, slow receiver processing	🟠 Warning
TCP Previous Segment Not Captured	Gap in sequence numbers detected in capture	Capture device overload, asymmetric routing, missing packets	🟠 Warning
FIN + RST overlap	Abnormal connection closure	Forced termination by application or error	🔴 Error
SYN Flood pattern	Many SYN packets with no ACKs	Denial-of-Service attack or port scanning	🔴 Error

2️⃣ TLS / SSL Layer Issues

Event / Alert	Description	Potential Cause	Severity
Fatal Alert	Connection terminated due to serious TLS error	Bad MAC, handshake failure, unsupported parameters	🔴 Error
Warning Alert	Non-fatal TLS error, connection may continue	Weak/deprecated cipher, invalid certificate	🟠 Warning
Handshake Failure	Client and server could not agree on security parameters	Cipher mismatch, TLS version mismatch, invalid certificate	🔴 Error
Expired Certificate	Certificate validity ended	Mismanagement of certificate, insecure server	🔴 Error
Bad Certificate / Unknown CA	Certificate could not be verified	Missing trust chain, self-signed certificate	🔴 Error

3️⃣ HTTP Layer Issues

Status / Event	Description	Potential Cause	Severity
HTTP 400 Bad Request	Invalid request syntax or parameters	Malformed client request	🟠 Warning
HTTP 401 Unauthorized	Authentication required	Missing/invalid credentials	🟠 Warning
HTTP 403 Forbidden	Server refuses request	Insufficient permissions, IP blocking	🟠 Warning
HTTP 404 Not Found	Resource not found	Incorrect URL, resource moved/deleted	🟠 Warning
HTTP 500 Internal Server Error	Server-side error	Server misconfiguration, application crash	🔴 Error
HTTP 503 Service Unavailable	Server overloaded or under maintenance	Server overload, maintenance mode	🔴 Error

4️⃣ ICMP / IP Layer Issues

Event / Flag	Description	Potential Cause	Severity
ICMP Destination Unreachable	Host/network/port unreachable	Firewall block, closed port, routing issue	🟠 Warning
ICMP Time Exceeded	TTL expired in transit	Routing loop, excessively long path	🟠 Warning
IP Fragmentation Issues	Packets fragmented and reassembled incorrectly	MTU mismatch, large UDP packets	🟠 Warning
IP Duplicates	Duplicate IP packets received	Network loop, retransmission at lower layer, misconfiguration	🟠 Warning

Validate TCP Lifecycle Compliance

Ensure connections follow proper TCP handshake and teardown sequences.
Verify full-way connection closure (graceful FIN/ACK) rather than half-closed or forceful RST terminations.
Monitor retransmissions, duplicate ACKs, and out-of-order packets — these indicate network or application issues, even if the transaction completes successfully.

Connections should follow the complete 3-way handshake and graceful 4-way termination.

✅ Healthy Connection

SYN → SYN-ACK → ACK (established)
FIN → ACK → FIN → ACK (graceful close)

❌ Unhealthy Connection

Sudden RST without FIN
Half-close (client/server not acknowledging termination)
Frequent retransmissions or missing ACKs

Even if a request processing completes, repeated retransmissions or duplicate ACKs point to instability that should be investigated.

Performance and Response Validation

Verify response times are within acceptable boundaries for both inbound and outbound traffic. Monitor buffer conditions, window sizes, and flow control anomalies to ensure stable and predictable operation.

Confirm transaction response times are within acceptable limits.
Check window sizes and flow control behavior.
Validate consistent round-trip times without spikes or delayed ACKs.
Investigate buffer stalls or persistent zero windows.

A successful transaction should also be efficient, not just correct.

Integrate Validation into Development and Delivery

To operationalize these checks, I suggest the following best-practice approach:

Integrate Short Wireshark Traces in Development/Testing

For any new device, hardware series, or connectivity logic changes, capture 2–3 minute traces during functional tests.
Validate TCP lifecycle, Layer 4 and Layer 7 behavior, retransmissions, duplicate ACKs, Zero Window events, and TLS/HTTP errors.

Include Trace Analysis in Deliverables

Create a simple summary (1–2 slides or a small table) for each release highlighting:

Transaction times within acceptable boundaries
Any negative/problematic events detected in traces
Notes on graceful vs. forceful connection closure

Include this summary as part of the product delivery checklist.

Standardize Routine Post-Change Checks

Make this a mandatory step for all connectivity-related releases, ensuring both product engineering and QA teams review traces before production rollout.
This ensures early detection of network or application-level issues without relying solely on support or production monitoring.

Summary Checklist

Step	Objective	Owner
Capture short packet traces	Validate TCP/TLS/HTTP flow health	Dev / QA
Review for negative events	Detect retransmissions, RSTs, alerts	Dev / Infra
Validate TCP lifecycle	Ensure graceful open/close	QA / Infra
Include trace summary in release docs	Deliver visibility and accountability	Product / QA
Perform post-release checks	Confirm stability after go-live	Network / Infra

Make it part of the product delivery checklist and a mandatory post-change verification step. Adhering to these practices ensures early detection of network or application issues, reduces wasted triage effort, and establishes repeatable engineering standards. All teams are requested to circulate this guidance within their groups and integrate packet-level validation into development, testing, and release workflows.

Saturday, October 4, 2025

Understanding TCP Flags: The Control Bits of TCP Connections

Transmission Control Protocol (TCP) is one of the pillars of internet communication. It ensures reliable, ordered, and error-checked delivery of data between systems. Behind the scenes, TCP relies on flags — small control bits in the TCP header — to manage the lifecycle and flow of a connection.

These TCP flags signal events such as connection setup, acknowledgment of data, or termination of a session. Without them, the reliable communication we take for granted wouldn’t be possible.

TCP flags may only be single bits in a header, but they play a critical role in how the internet functions. From establishing connections to managing congestion and closing sessions, these control bits define the entire TCP lifecycle.

Whether you’re analyzing network packets with Wireshark, troubleshooting a connection issue, or just curious about how the internet really works — understanding TCP flags is essential.

The TCP header contains several one-bit boolean fields known as flags used to influence the flow of data across a TCP connection. Ignoring the CWR and ECE flags added for congestion notification, there are six TCP control flags. Four of these (SYN, FIN, ACK, RST) are used to control the establishment, maintenance, and tear-down of a TCP connection.

Acronym	Name	Meaning
SYN	Synchronization	Used to create a TCP connection (Initiates a connection)
ACK	Acknowledgment	Used to acknowledge the reception of data or synchronization packets
PSH	Push	Instruct the network stacks to Bypass the buffering(MSS size) I,e Asks to push the entire buffered data to receiving application immediately
URG	Urgent	Indicates out-of-band data that must be processed by the network stacks before normal data I, Bypass the queue
FIN	Finish	Gracefully terminate the TCP connection
RST	Reset	Immediately terminate the connection and drop any in-transit data

What Are TCP Flags?

Each TCP packet has a header that contains several fields, including flags (control bits). These flags are 1-bit markers that indicate how a packet should be interpreted. By setting or clearing these bits, devices coordinate connection states, error recovery, and data transfer behaviors.

The 6-bit Flags field is used to relay control information between TCP peers. The possible flags include SYN, FIN, RESET, PUSH, URG, and ACK.

URG: Urgent pointer is valid

ACK: Acknowledgement Number is valid
PSH: PUSH Flag
RST: Reset the connection
SYN: Synchronize sequence numbers
FIN: Sender is finished with sending

The SYN and FIN flags are used when establishing and terminating a TCP connection, respectively.
The ACK flag is set any time the Acknowledgement field is valid, implying that the receiver should pay attention to it.
The URG flag signifies that this segment contains urgent data. When this flag is set, the UrgPtr field indicates where the non-urgent data contained in this segment begins. The following bytes contains an utgent message in the range: (SeqNo <= urgent message <= SeqNo+urgent pointer)
The PUSH flag signifies that the sender invoked the push operation, which indicates to the receiving side of TCP that it should notify the receiving process of this fact. Normally set by sender when the sender’s buffer is empty
Finally, the RESET flag signifies that the receiver has become confused and so wants to abort the connection.

Synchronization (SYN) – It is used in first step of connection establishment phase or 3-way handshake process between the two hosts. Only the first packet from sender as well as receiver should have this flag set. This is used for synchronizing sequence number i.e. to tell the other end which sequence number they should accept. During the 3-way handshake we are able to count a total of 2 SYN flags transmitted, one by each host.

Purpose: Initiates a TCP connection.
Usage: Part of the three-way handshake (SYN → SYN-ACK → ACK).
Example: When your browser connects to a web server, it first sends a SYN packet.
Wireshark View : tcp.flags.syn == 1 && tcp.flags.ack == 0

Acknowledgement (ACK) – It is used to acknowledge packets which are successful received by the host. The flag is set if the acknowledgement number field contains a valid acknowledgement number.

Purpose: Confirms receipt of data.
Usage: Present in almost all TCP segments after the connection is established.
Example: If Host A sends data, Host B responds with an ACK to confirm successful receipt.

After the connection is established, data is sent and acknowledged by both sides. Each peer in the connection maintains a couple of counters:

The sequence counter, which counts the number of bytes sent
The acknowledgment counter, which counts the number of bytes received

The following sequence diagram illustrates how this works:

The number of bytes that have been sent but not acknowledged yet is called the “TCP window.” There are actually two TCP windows, one for each peer in the TCP connection. In the diagram above, the TCP window before the right side’s last packet is 90 bytes. The size of TCP windows is limited to 65,535 bytes in the original TCP specification, but this can be increased through TCP extensions.

A packet with the ACK flag set is used to acknowledge the bytes received by a peer. It is used in combination with the acknowledgment counter to inform the other peer of the last bytes received. This information is then used to determine whether some packets have been lost, in which case the sending peer will retransmit the lost packets.

Finish (FIN) - Graceful termination

It is used to request for connection termination i.e. when there is no more data from the sender, it requests for connection termination. This is the last packet sent by sender. It frees the reserved resources and gracefully terminates the connection.

One peer of the TCP connection can signal to the other that it wants to terminate the connection by sending a packet with a FIN flag. The other side then acknowledges that by sending a packet with both the FIN and ACK flags set and can then proceed to terminate its side of the connection. This four-way handshake is illustrated in the diagram below:

When the connection is terminated, any buffered or in-transit data will still be processed. In fact, any peer that didn’t send a FIN packet is still allowed to send data. This is rare in practice, as a higher-level protocol (HTTP, for example) usually has its own mechanism to signal that the connection is ending and that no more data needs to be sent by either side.

Purpose: Gracefully ends a connection.
Usage: Used when one side has no more data to send.
Example: After a file transfer is complete, the sender transmits a FIN flag to signal termination.
Wireshark View : tcp.flags.fin == 1

Reset (RST) – Aborting a connection

Either side of the TCP connection can decide to abort the connection. This is done when the peer in question believes the connection should not exist for some reason. In such a case, one peer sends a packet with the RST flag set. The other peer, upon reception of the RST packet, must immediately stop sending any data.

When a connection is aborted in such a way, data in transit and buffered data is lost. So there is the potential for data loss, but this shouldn’t be a problem if this connection wasn’t valid to start with. RST packets are rare in real life and are probably used more for nefarious purposes than legitimate ones.

It is used to terminate the connection if the RST sender feels something is wrong with the TCP connection or that the conversation should not exist. It can get send from receiver side when packet is send to particular host that was not expecting it.

Purpose: Immediately terminates a connection.
Usage: Used when something goes wrong (e.g., data sent to a closed port).
Example: If you send data to a port where no service is listening, the host replies with an RST.
Wireshark View : tcp.flags.reset == 1

Aspect	FIN (Finish)	RST (Reset)
Connection Termination	Graceful	Abortion
Termination Process	Uses a 4-way handshake (FIN → ACK, FIN → ACK)	Immediately closes the connection without handshake
Buffered Data	No data loss – remaining data is transmitted before closing	Data is discarded/dropped – in-flight data may be lost
Typical Usage	Normal TCP connection closure (e.g., after HTTP response, file transfer, email delivery)	Errors, invalid packets, closed ports, attacks, or out-of-ordinary connection events
Behavior	Signals: “I’m done sending, but I’ll still receive until you’re done.”	Signals: “Stop right now, something’s wrong.”
Impact on Applications	Application sees a clean end-of-stream (EOF)	Application may see an abrupt error or timeout
Wireshark Filter	tcp.flags.fin == 1	tcp.flags.reset == 1
Example	After downloading a file, the server sends a FIN to close politely	Connecting to port 81 on a server with no service listening results in an RST

Push (PSH) – Bypass Sending/Receiving Buffer Size(MSS) For Pushed Data

The PSH flags instruct the operating system to send (for the sending side) and receive (for the receiving side) the data immediately. In other words, this flag instructs the operating system’s network stack to send/receive the entire content of its buffers immediately without waiting for the buffer (MSS) to become full on both sender and receiver end.

TCP operates at layer four of the OSI model; it presents to upper layers a simple socket which can be read from and written to, masking the complexities of packet-based communications. To allow applications to read from and write to this socket at any time, buffers are implemented on both sides of a TCP connection in both directions.

When an application layer sends the data, it is temporarily queued in the TCP buffer, a special area in the memory, until the segment has reached a certain size (called MSS). So if we send a character it won't send it immediately but Transport layer by default waits for some time for application layer to send enough data equal to maximum segment size (MSS) and is then sent to the receiver so that the number of packets transmitted on network minimizes. When the segment arrives at the receiving end, it is placed in the TCP incoming buffer before it is passed onto the application layer. The data queued in the incoming buffer will remain there until the other segments arrive and, once this is complete, the data is passed to the application layer that's waiting for it.

The purpose of the PSH bit is to tell TCP that do not wait for the buffer to become full and send the segment immediately to network layer as soon as it receives signal from application layer. Similarly when the receiver receives the segment with PSH flag set, should forward the data immediately to the application layer without waiting for the receive buffer to become full.

This design guarantees that the data transfer is as efficient as possible, without waisting time and bandwidth by creating multiple segments, but combining them into one or more larger ones.It is not desirable by some application like interactive applications (chatting) I,e when we want data to go straight on the wire without any waiting time then there the PUSH function comes in. If we PUSH data then the TCP will immediately create a segment (or a few segments) and push them. But the story doesn't stop here. When the peer TCP receives the data, it will naturally buffer them it won't disturb the application for each and every byte. Here's where the PSH flag kicks in. If a receiving TCP sees the PSH flag it will immediately push the data to the application.

The practical example of this is the telnet application where the application sends data in the form of few keystrokes. The telnet will become unusable if it waits for the buffer to become full and then transits the data to the receiver. One more example is real player, where data must be sent and processed (by the receiver) immediately to ensure a smooth stream without any cut offs.

There's no API to set the PSH flag. Typically it is set by the kernel when it empties the buffer I,e the buffer used at sender side has been emptied in conjunction with sending the packet. This particular flag is used quite frequently at the beginning and end of a data transfer, affecting the way the data is handled at both ends. When the packet with the PSH bit field set left the sender, the sender had no more data to send.

The socket that TCP makes available at the session level can be written to by the application with the option of "pushing" data out immediately, rather than waiting for additional data to enter the buffer. When this happens, the PSH flag in the outgoing TCP packet is set to 1 (on). Upon receiving a packet with the PSH flag set, the other side of the connection knows to immediately forward the segment up to the application. To summarize, TCP's push capability accomplishes two things:

The sending application informs TCP that data should be sent immediately.
The PSH flag in the TCP header informs the receiving host that the data should be pushed up to the receiving application immediately.

Purpose: Instructs the receiver to deliver data to the application immediately.
Usage: Ensures no unnecessary buffering delays.
Example: Used in interactive applications like SSH or Telnet, where keystrokes must appear instantly.
Wireshark View: tcp.flags.push == 1

Urgent (URG) – Bypass Sending/Receiving Queue For Urgent Data

This flag is used to identify incoming data as 'urgent'. Such incoming segments do not have to wait until the previous segments are consumed by the receiving end but are sent directly and processed immediately.

An Urgent Pointer could be used during a stream of data transfer where a host is sending data to an application running on a remote machine. If a problem appears, the host machine needs to abort the data transfer and stop the data processing on the other end. Under normal circumstances, the abort signal will be sent and queued at the remote machine until all previously sent data is processed, however, in this case, we need the abort signal to be processed immediately.

By setting the abort signal's segment Urgent Pointer flag to '1', the remote machine will not wait till all queued data is processed and then execute the abort. Instead, it will give that specific segment priority, processing it immediately and stopping all further data processing.

Real-life example:

At your local post office, hundreds of trucks are unloading bags of letters from all over the world. Because the amount of trucks entering the post office building are abundant, they line up one behind the other, waiting for their turn to unload their bags. As a result, the queue ends up being quite long. However, a truck with a big red flag suddenly joins the queue and the security officer, whose job it is to make sure no truck skips the queue, sees the red flag and knows it's carrying very important letters that need to get to their destination urgently. By following the normal procedures, the security officer signals to the truck to skip the queue and go all the way up to the front, giving it priority over the other the trucks. In this example, the trucks represent the segments that arrive at their destination and are queued in the buffer waiting to be processed, while the truck with the red flag is the segment with the Urgent Pointer flag set.

Data inside a segment with URG = 1 flag is forwarded to application layer immediately even if there are more data to be given to application layer. It is used to notify the receiver to process the urgent packets before processing all other packets. The receiver will be notified when all known urgent data has been received.

The URG bit, if set prioritizes the data, meaning thereby instead of waiting for the entire byte stream to be transmitted which is ahead of the "Urgent" data, the urgent data will be sent on urgent basis and will not wait for the entire byte stream to be transmitted which is ahead of it. When the URG bit is set the Urgent Pointer is also set (in the TCP header Options field: 16 bit). The URG pointer tells how many bytes of the data is urgent in the segment that has arrived. (Example if the data size is 100 bytes and only first 50 bytes is urgent, the urgent pointer will have a value of 50). When you send urgent data, your TCP creates a special segment in which it sets the URG flag and also the urgent pointer field. This causes the receiving TCP to forward the urgent data on a separate channel to the application (for instance on Unix your process gets a SIGURG). This allows the application to process the data out of band¹.

The URG flag is used to inform a receiving station that certain data within a segment is urgent and should be prioritized. If the URG flag is set, the receiving station evaluates the urgent pointer, a 16-bit field in the TCP header. This pointer indicates how much of the data in the segment, counting from the first byte, is urgent.

The URG flag is used to signal “urgent” data that should be prioritized over non-urgent data. This is used to send so-called “out-of-band data,” which is treated in a special way by the operating system and usually signals some kind of exception in the application protocol. Note that in practice, this feature of TCP is seldom used.

public void sendUrgentData(int data) throws IOException

public void setOOBInline(boolean on) throws SocketException

public boolean getOOBInline() throws SocketException

Purpose: Marks data as urgent, requiring priority processing.
Usage: Works with the Urgent Pointer field to highlight critical data.
Example: Rarely used today, but was historically important for signaling interrupts.

Difference between PUSH and URG

Suppose the receiving buffer has already some data to be processed by the application. A segment with the PSH flag set to 1 is sent now. The sending buffer will not wait to be filled, instead, it will immediately push the entire data of its buffers into the wire. Now, this data will queue up behind the already non-processed data in the receiving buffer. After the previous data is processed then only the data with PSH=1 can be forwarded to the application on receiver end.

When URG is set, the data can be immediately forwarded to the application ignoring the already existent data in the receiving buffer. In other words, URG=1 violates the FIFO structure.

The major difference between PSH=1 and URG=1 is that the former follows the ordering of the data in the receiving buffer whereas the latter doesn't and that's why the name is URG i.e. to send urgent data.

PSH flag will carry the buffer memory size, where the URG flag will carry the address of that memory. PSH flag will help the packet transmission little bit faster. URG flag is only used for when any urgently required packet is send to the destination or server.

PSH	URG
All data in buffer to be pushed to NL(sender)/AL(receiver)	Only the urgent data to be given to AL immediately
Data is delivered in sequence I,e follows the ordering of the data in the receiving buffer.	Data is delivered out of sequence I,e ignoring the already existent data in the receiving buffer
PSH=1 follows the FIFO structure.	URG=1 violates the FIFO structure.
It Bypass the buffer size I,e not wait until buffer to get full of MSS size on sender and receiver end. Sender will send entire buffered content immediately and receiver also forward entire buffer content immediately. But this data will queue up behind the already non-processed data in the receiving buffer. After the previous data is processed from buffer then only the data with PSH=1 can be forwarded to the application on receiver end.	It Bypass the Queue in order to send and receive urgent data. This causes the receiving TCP to forward the urgent data on a separate channel to the application.
No separate channel will get created on receiving TCP to forward the buffered data to application.	A Separate channel will get created to forward urgent data from buffered data to application.

ECE (ECN Echo) and CWR (Congestion Window Reduced)

Purpose: Handle congestion control with Explicit Congestion Notification (ECN).
Usage:

ECE: Signals that congestion was experienced.
CWR: Sent by the sender to acknowledge that it reduced its congestion window.

Example: Helps prevent packet drops by adapting transmission rates under heavy traffic.
Wireshark View : tcp.flags.ecn == 1

Putting It All Together: A Typical TCP Lifecycle

Connection Establishment (3-Way Handshake):

SYN → SYN-ACK → ACK

Data Transfer:

ACK confirms delivery
PSH ensures real-time transmission when required

Congestion Handling:

ECE and CWR help balance traffic load

Connection Termination:

Graceful shutdown with FIN
Abrupt termination with RST

TCP Flags Quick Reference Table with examples included:

Flag	Full Form	Purpose	Typical Use Case	Example
SYN	Synchronize	Initiates a connection	Connection handshake	When you open a browser and visit https://example.com, your system sends a SYN packet to the server.
ACK	Acknowledgment	Confirms receipt of data	Data acknowledgment	After receiving a web page chunk, your computer sends an ACK back to the server.
FIN	Finish	Gracefully closes a connection	End of data transfer	After a file download completes, the client sends a FIN to indicate no more data will be sent.
RST	Reset	Abruptly ends connection	Error / closed port	If you connect to port 81 on a server where no service is listening, it replies with an RST.
PSH	Push	Deliver data immediately to application	Interactive sessions	In SSH, when you press a key, a PSH ensures the keystroke is sent to the remote host without delay.
URG	Urgent	Prioritize urgent data	Legacy signals	Telnet once used URG to send interrupt commands (Ctrl+C) immediately.
ECE	ECN Echo	Reports congestion	ECN-enabled networks	A router experiencing congestion sets ECN, and the receiver returns an ECE flag to notify the sender.
CWR	Congestion Window Reduced	Acknowledges congestion handling	ECN acknowledgment	After receiving ECE, the sender reduces its window and marks the next packet with CWR.

Difference Between PSH and URG Flags

Aspect	PSH (Push)	URG (Urgent)
Purpose	Ensures data is delivered immediately to the application (no waiting for buffer fill).	Marks part of the data stream as urgent, using the Urgent Pointer field.
Scope	Affects all data in the segment – tells the receiver to push buffered data up.	Applies only to a portion of the data marked as urgent.
Use Case	Interactive or real-time applications (e.g., SSH, Telnet, chat).	Sending interrupt or control signals (e.g., abort/kill command in Telnet).
Modern Usage	Still relevant in real-time/low-latency communications.	Rarely used today; largely obsolete in modern protocols.
Example	When you press a key in SSH, PSH ensures the keystroke reaches the server immediately.	In legacy Telnet, pressing Ctrl+C would set URG to signal an interrupt.

Difference Between RST and FIN Flags

Aspect	FIN (Finish)	RST (Reset)
Purpose	Gracefully closes a TCP connection.	Abruptly terminates a TCP connection.
Behavior	Tells the peer: “I have finished sending data, but I can still receive.”	Tells the peer: “Something went wrong, stop immediately.”
Connection State	Allows a proper four-way handshake to close the session.	Immediately drops the connection without a handshake.
Use Case	Normal end of a session (e.g., after file transfer or HTTP response).	Error conditions, invalid packets, closed ports, or abnormal termination.
Impact on Data	Ensures all in-flight data is delivered before closing.	Discards any in-flight data — data may be lost.
Example	After downloading a file, the server sends a FIN to close the session cleanly.	If you connect to a closed port on a server, it responds with an RST.
Wireshark Filter	tcp.flags.fin == 1	tcp.flags.reset == 1