Sunday, October 5, 2025

Understanding Wireshark’s TCP Conversation Completeness: What It Really Tells You

Understanding “TCP Conversation Completeness” in Wireshark

A Deep Dive into What It Really Means (and What It Doesn’t)

When analyzing TCP packet captures in Wireshark, you may have noticed a column or field called “TCP Conversation Completeness.” It often shows up as a numerical value — 7, 15, 31, 63, and so on — and many engineers assume it reflects the health of a TCP connection or compliance with RFC 793.

However, that’s not what it is.

TCP Conversation Completeness is a Wireshark-specific analytical feature, not a TCP protocol metric or a network standard. It tells you only what Wireshark observed in the packet trace — not necessarily what happened on the wire end-to-end.

In this article, we’ll break down how Wireshark computes it, what the values mean, how incomplete captures can distort it, and how to correctly interpret it in real-world troubleshooting.

TCP Conversation Completeness” is like Wireshark’s health summary for a TCP connection —
useful for triage, not for truth 

 

This critical TCP-layer metric that can significantly enhance how we validate the health of incoming client connections. The parameter is called “Conversation Completeness”, and while it may sound like a technical jargon, it is a highly effective diagnostic for analyzing connection integrity. This metric helps us categorize TCP conversations into meaningful states, such as: 

🔴 Incomplete: Handshake not completed (e.g., SYN sent but no ACK)
🟠 Partial Data: Handshake succeeded, but data exchange was interrupted
🔥 Reset Immediately: Connections rejected abruptly (RST seen)
⏱️ Late SYN-ACK: SYN and SYN-ACK seen, but final ACK from client is missing(Common under high latency, packet loss, or asymmetric routing issues)
No Data: Clean handshake and closure, but no application data transferred
🟢 With Data: Full connection with data exchanged and properly closed
⚠️ Duplicate Conversations: Multiple flows for the same connection(May indicate monitoring artifacts or NAT reuse)

To assess connection health, we’ve classified traffic into the following TCP health buckets: Healthy TCP % = Sum of all Complete, WITH_DATA codes (31, 47, 63) divided by Total.

🟢 Green (Excellent): ≥ 97.5%, 🟡 Yellow (Good): 90–97.49%, 🟠 Amber (Moderate): 70–89.99%, 🔵 Blue (Below Average): 50–69.99%, 🔴 Red (Poor): < 50%

Observation for Client 6:

  1. TTL = 126: Suggests Windows OS
  2. Window Size = 8192
  3. Window Scale = 8 (resulting in an effective receive window of 2,097,152 bytes)
  4. MSS = 1338
  5. tcp.completeness == 23:
    1. All 1528 connections (initiated every hour) follow the 3-way handshake — SYN → SYN-ACK → ACK — but then terminate immediately with a FIN,ACK without exchanging any application data or TLS handshake.

 

 What Is TCP Conversation Completeness?

TCP Conversation Completeness means that every TCP connection observed in packet capture has a proper beginning, middle, and end according to the TCP finite state machine.

A complete TCP conversation typically consists of:

  • Three-way handshake — SYN → SYN-ACK → ACK
  • Data exchange — One or both directions transmit data packets with PSH or ACK
  • Graceful termination — A full four-way FIN/ACK handshake, ensuring both sides close cleanly

Any deviation — like missing handshakes, abrupt resets, or unacknowledged FINs — indicates incomplete conversation(s). 

TypeDescriptionExample Frames (Wireshark)Remarks
Complete ConversationFull SYN, data exchange, and 4-way FIN/ACK closure observedSYN → SYN-ACK → ACK → [Data] → FIN → ACK → FIN → ACKIdeal, healthy connection
Incomplete (Reset)Connection aborted using RST instead of FINSYN → SYN-ACK → ACK → [Data] → RSTApplication error or abrupt termination
Incomplete (Unidirectional FIN)One side closes, the other doesn’tSYN → SYN-ACK → ACK → [Data] → FIN → ACK (missing other FIN)Peer-side timeout or closure mismatch
Handshake IncompleteSYN sent but never acknowledgedSYN (no SYN-ACK)Port closed, firewall drop, or routing issue
Midstream ResetData exchange occurs, then abrupt RSTSYN → SYN-ACK → ACK → [Data] → RSTCommon during protocol mismatch, timeout, or app crash

 Wireshark tracks the lifecycle of each TCP connection based on the flags it sees during capture:

TCP EventDescription
SYNConnection initiation by client
SYN, ACKServer acknowledgment
ACKFinal step of 3-way handshake
DATAApplication payload transfer
FINGraceful close request
RSTAbrupt termination

Wireshark uses these observed events to compute a bitmask value, stored in the field tcp.completeness.

Each bit in this field corresponds to a stage of the TCP conversation. The combination of bits forms a numeric “completeness score” that Wireshark can display as a value or text label.

📊 Why TCP Completeness Matters

Even when application logs show “Transaction Approved”, incomplete TCP flows can reveal deep network or system issues: 

Impact AreaExample ScenarioHidden Symptom
Load Balancer or FirewallConnection reset due to idle timeoutApp sees random disconnections
Server ConfigurationKeep-alive disabled or FIN ignoredHalf-open sockets pile up
Client BehaviorApp abruptly closes socketsServer stuck in LAST_ACK
TLS HandshakeClient aborts mid-handshakeSSL failure without clear error
Retransmission StormsMSS or window scaling mismatchSpikes in latency or CPU load

 🧠 Anatomy of a Complete vs. Incomplete TCP Conversation

TypeDescriptionCommon Pattern in WiresharkHealth
Complete ConversationFull handshake, bidirectional data, clean 4-way FINSYN → SYN-ACK → ACK → Data → FIN/ACK → FIN/ACKHealthy
Reset TerminationConnection aborted using RSTSYN → SYN-ACK → ACK → Data → RSTApplication crash, firewall reset
⚠️ One-Sided FINOne side closes, peer never repliesSYN → SYN-ACK → ACK → Data → FIN → ACK (no peer FIN)Half-open session
⚠️ Handshake IncompleteNo SYN-ACK receivedSYN onlyPort closed, firewall drop
Midstream ResetReset during data exchangeSYN → SYN-ACK → ACK → Data → RSTTimeout, misbehavior, or mismatch

 

Bitmask Breakdown 

Below is a simplified interpretation of how Wireshark defines the TCP Conversation Completeness bitmask:

DecimalBinaryMeaningTypical Interpretation
1000001SYN seenConnection attempt initiated
3000011SYN + SYN-ACKTwo sides initiated handshake
7000111SYN + SYN-ACK + ACKFull 3-way handshake observed
15001111Handshake + data transferEstablished connection with data
31011111Handshake + data + FINNormal close seen (4-way termination)
63111111Handshake + data + FIN + RSTConnection established, data sent, and reset seen

You can view this value in Wireshark using:

Frame → Expand “Transmission Control Protocol” → Field: tcp.completeness

Or create a column by right-clicking and selecting “Apply as Column”. 

Important Clarification: This Is a Wireshark Construct

“TCP Conversation Completeness” is not defined in any TCP RFC or OSI layer standard.

It’s a Wireshark-level convenience metric designed to help analysts quickly summarize what parts of the TCP lifecycle were seen in the capture — nothing more.

That means it’s entirely capture-dependent, not network-absolute.

Why It Changes with Incomplete or Asymmetric Captures 

If your packet trace is incomplete — due to asymmetric capture, packet drops, or the trace starting/stopping midway — Wireshark’s completeness analysis will change.

Let’s look at some examples:

Example 1: Partial Handshake

If you start the capture after the client has already sent the SYN, Wireshark will only see:

SYN, ACK → ACK

The completeness score will not include the original SYN, so it may show as 3 (incomplete handshake), even though the real network connection is already established.

Example 2: Missing FIN

If you stop the capture before the connection gracefully closes, Wireshark won’t see the FIN packets. The completeness will remain at 15 (handshake + data), even if the TCP connection properly closed afterward.

Example 3: One-Way Capture (Asymmetric Routing)


If your capture is on only one side of the network path (e.g., on the client), you might only see:  

SYN → SYN, ACK (missing)

Wireshark can’t infer that the other side replied — so it’ll report a very low completeness, even though the server did respond in reality.

How to Interpret It Correctly

Think of TCP Conversation Completeness as a summary of what Wireshark observed, not a verdict on whether the TCP session succeeded.

Here’s a practical interpretation table: 

CompletenessMeaning (in Wireshark)What It Might Indicate
1 or 3SYN or SYN+ACK onlyConnection attempt, no response
7Full handshake, no dataIdle TCP connection
15Handshake + dataNormal session, may be truncated
31Handshake + data + FINGraceful closure (4-way handshake complete)
63Includes RSTConnection terminated abruptly

So if you see a 15, it might mean:

  • Normal session without closure, or
  • Capture stopped before FIN was sent, or
  • Server or client didn’t follow graceful termination.

To tell which one applies, inspect the trace context — timestamps, packet directions, and sequence numbers.

Practical Tips for Accurate Completeness Analysis

TipWhy It Matters
Capture both directions (bi-directional)Avoid missing SYN/ACK or FIN/ACK packets
Start capture before the SYNEnsures handshake is included
End capture after FIN/RSTCaptures full closure
Avoid SPAN oversubscriptionPrevents packet drops
Verify with sequence numbersDetect missing data beyond completeness bitmask
Use tcp.analysis.flagsTo correlate retransmissions, dup ACKs, etc.

Combining Completeness with Application Context

While completeness gives a structural view of the TCP session, pairing it with application-layer visibility (e.g., HTTP, TLS, or custom payloads) helps you understand:

  • Was data actually exchanged after handshake?
  • Did the application issue proper FIN?
  • Did the server or client abort the session?

For example:

  • tcp.completeness = 31 with HTTP 200 OK → successful web transaction.
  • tcp.completeness = 63 with TLS Alert: Close Notify → clean TLS closure.
  • tcp.completeness = 15 with RST at end → likely timeout or forced disconnect. 

 Limitations and Common Misinterpretations

MisconceptionReality
“Completeness 63 means fully successful connection.”Not necessarily — it only means all flag types were seen. The session may have ended in RST.
“Low completeness = network failure.”Could simply be partial capture or unidirectional sniffing.
“It’s part of TCP standard.”No — it’s internal to Wireshark’s analysis engine.
“You can use completeness to measure success rate.”Only valid if captures are full and symmetric.

Example Wireshark Display

You can display the completeness column by:

  • Right-clicking on any TCP packet → Protocol Preferences → Apply as Column.
  • Adding a custom column with field name: tcp.completeness
  •  Optionally add color filters:
    • tcp.completeness < 7 → Red (incomplete handshakes)
    • tcp.completeness >= 15 → Green (active connections)
    • tcp.completeness >= 31 → Blue (gracefully closed)

Key Takeaways

  • TCP Conversation Completeness is Wireshark-defined, not TCP-standardized.
  • It indicates what Wireshark has seen, not what truly happened end-to-end.
  • It’s most useful when captures are full, symmetric, and continuous.
  • For meaningful analysis, correlate with timestamps, sequence numbers, and application logs. 

📐 Formula: TCP Conversation Completeness

Wireshark’s tcp.completeness field quantifies the health of each TCP conversation using a bitmask formula.

This numerical code describes which TCP events (SYN, ACK, DATA, FIN, RST) were seen in the capture — allowing analysts to instantly classify whether a connection was complete, partial, or aborted. 

🧮 The TCP Completeness Bitmask

Each observed TCP event contributes a bit value:

BitNameField NameMeaningString Representation
1SYNtcp.completeness.synSYN packet seen (client initiated connection)S
2SYN-ACKtcp.completeness.syn-ackSYN-ACK seen (server responded)SA
4ACKtcp.completeness.ackACK seen (client completed handshake)A
8DATAtcp.completeness.dataApplication data exchangedD
16FINtcp.completeness.finGraceful closure attemptF
32RSTtcp.completeness.rstAbrupt termination/resetR


The bitmask sum of these values represents the “conversation signature.” For instance,

63 (1+2+4+8+16+32) → SYN + SYN-ACK + ACK + DATA + FIN + RST → Ideal complete connection

Main Category

Subcode (Bitmask N)

Subtype Description

Meaning

🔴 Incomplete

2

SYN or mid-flow only

Partial connection, handshake not completed

5 (1 + 4)

SYN + ACK seen, missing ACK or RST

Often blocked or interrupted after handshake

13 (1 + 4 + 8)

Early close after SYN + ACK + ACK

Connection closed immediately after handshake, likely no app activity

35 (1 + 2 + 32)

Handshake + data, no closure

Data exchanged but connection was cut mid-way

37 (5 + 32)

Multiple data packets, no closure

Multiple payloads exchanged, then dropped

38 (1 + 2 + 4 + 32)

SYN + SYN-ACK + ACK + minimal data, drop

Very short data exchange, abruptly interrupted

59 (3 + 8 + 16 + 32)

Long flow, unusual closure

Extended exchange but closed in a non-standard or abrupt manner

62 (2 + 4 + 8 + 16 + 32)

Data + no FIN or RST

Payload sent, but no TCP closure observed

🟠 Incomplete, SYN_SENT

1

SYN seen only

Client sent SYN, no server reply

🟠 Incomplete, CLIENT_ESTABLISHED

3 (1+2)

SYN + SYN-ACK only

Server replied to SYN, client ACK not seen

🟠 Incomplete, ESTABLISHED

7 (1 + 2 + 4)

Full handshake, no data

Connection established, but no traffic exchanged

🟠 Incomplete, DATA

15 (1 + 2 + 4 + 8)

Handshake + some data, no closure

Abrupt interruption after data start

35 (1 + 2 + 32)

Extended version of above

Same as 15 but more data packets

37 (1 + 4 + 32)

Repeated mid-stream drops

Slightly longer flows with no closure

🔥 Reset Immediately

17 (1 + 16)

SYN followed by RST

Server forcefully rejected connection

⏱️ Late SYN-ACK

33 (1 + 32)

SYN + SYN-ACK only, delayed ACK

Likely network latency or asymmetric capture

Complete, NO_DATA

7 (1 + 2 + 4)

Full handshake, no data

Connection opened, no payload sent

23 (7 + 16)

Full handshake + FIN

Graceful close without application data

55 (7 + 16 + 32)

Handshake + no payload + RST/FIN

Connection established but closed without sending any data

🟢 Complete, WITH_DATA

31(1 + 2 + 4 + 8 + 16)

Data + one-sided FIN

Clean on one side, the other didn't close

47(1 + 2 + 4 + 8 + 16 + 16)

Data + RST (Reset)

Connection closed abruptly after data

63(1 + 2 + 4 + 8 + 16 + 32)

Ideal connection

Handshake, data exchange, and proper closure (FIN/FIN-ACK)

⚠️ Duplicate Conversations

Varies

Tool-specific overlaps

Multiple rows for the same connection due to parsing

Interpreting the Bitmask Formula 

General Rule:

 TCP_COMPLETENESS = SYN(1) + SYN-ACK(2) + ACK(4) + DATA(8) + FIN(16) + RST(32) 

Wireshark displays this as:

tcp.completeness == <numeric_value>
tcp.completeness.str == <symbolic_string> 

Example Filters:

GoalFilter
Show only complete TCP sessionstcp.completeness == 63
Show incomplete or reset sessionstcp.completeness < 63
Show connections without datatcp.completeness == 7 or tcp.completeness == 23
Show abrupt resetstcp.completeness & 32

📊 Practical Use in Wireshark

  • Go to Statistics → Conversations → TCP
  • Add the “TCP completeness” column (if not visible)
    • Each flow will show:
    • Numeric bitmask (tcp.completeness)
    • Symbolic representation (tcp.completeness.str)
  • Example:
    •  
  • Sort by completeness to instantly find failed or truncated sessions.

🧠 Why This Matters for Engineers

The tcp.completeness metric is effectively a conversation fingerprint.
It allows you to:

  • Rapidly distinguish between graceful, reset, and half-open sessions
  • Correlate packet traces with app-layer behavior
  • Quantify TCP health (e.g., “98.9% of TCP sessions reached completeness = 63”)
  • Detect capture gaps, asymmetric routing, or device-level aborts 
ValuePatternMeaning
1 (S)SYN onlyClient attempted, no response
7 (S A A)Full handshake, idleConnection opened, no data
15 (S A A D)Handshake + data, incomplete closeAbrupt stop
31 (S A A D F)Clean on one sideServer/client missing final FIN
63 (S A A D F R)Full, ideal flowHandshake + data + proper closure

 🧷 Summary

TCP Conversation Completeness Formula = the DNA of a TCP flow.
Each bit tells part of the story — who spoke first, who replied, who sent data, who closed properly, and who dropped abruptly.

When combined with packet-level validation practices, it transforms Wireshark from a diagnostic tool into a quantitative network quality meter.

Best Practices: Packet-Level Validation for Connectivity Changes

To ensure stable and predictable network behavior across all environments, packet-level validation should be integrated into the development, testing, and release lifecycle.

Modern distributed systems rely heavily on healthy TCP/IP connectivity between devices, servers, and services. While application-level transactions may appear “successful,” the underlying network behavior often tells a different story. Subtle issues such as retransmissions, half-closed sockets, or TLS handshake failures can degrade reliability and user experience — even when responses seem fine.

To ensure reliable, predictable, and secure communication, every new device, hardware series, or integration change should undergo packet-level validation as a mandatory best practice during development, testing, and release phases.

Establish a uniform and proactive approach to detect and prevent connectivity issues caused by device, network, or code-level changes.

 Why Packet-Level Validation Matters

Transaction approval does not always mean the communication was healthy beneath.
Hidden issues such as retransmissions, duplicate ACKs, or forced TCP resets may signal instability or misconfiguration at the OS, network, or application layer.

Routine packet validation helps detect:

  • Latency spikes and flow control bottlenecks
  • Abnormal connection termination (RST or half-close)
  • TLS/SSL handshake or certificate issues
  • Network-level loss or reordering

This approach must be applied for both inbound and outbound traffic — ensuring every client-server interaction is genuinely healthy. 

1. Mandatory Guidelines for All Releases and Post-Code Changes

  • All teams are requested to circulate this guidance within their groups and integrate packet-level verification into their development, QA, and release workflows.
  • This applies to all components — Instore, Host, Infra, and Network. 

2. Integrate Short Wireshark Traces in Development/Testing

  • For any new device, hardware series, or connectivity logic change, capture 2–3 minute Wireshark traces during functional tests.
  • Validate key behaviors:
    • TCP lifecycle and conversation completeness
    • Layer 4 and Layer 7 integrity (retransmissions, duplicate ACKs, Zero Window events)
    • TLS handshake and HTTP response correctness 

 3. Include Trace Analysis in Deliverables

  • Each release should include a 1–2 slide summary or small table highlighting:
    • Processing times within acceptable thresholds
    • Any negative/problematic events found in traces
    • Notes on graceful vs. forceful connection closure
  • Include this as part of the product delivery checklist.

4. Routine Post-Change Checks

  • Make trace validation a mandatory step after:
    • Connectivity-related code changes
    • Device or network upgrades (router, firewall, load balancer, MPLS/VPN setup)
  • Recently, a similar exercise has been conducted for all MPLS/VPN clients in coordination with the network team. However, this validation should ideally occur during initial onboarding itself. 

5. Continuous Validation for New and Existing Clients

  • Network or infrastructure changes can directly affect connection lifecycle events. Hence:
    • Regularly perform trace health checks for both new and existing clients.
    • Ensure collaboration across product engineering, QA, Infra, and network teams for early detection and prevention of anomalies. 

Verify Problematic Network Events

  • Capture short packet traces (2–3 minutes) during development or functional testing.
  • Identify and validate all negative/problematic events, including:
    • TCP: Retransmissions, Fast/Spurious Retransmissions, Duplicate ACKs, Out-of-Order segments, Zero Window / Zero Window Probe / Probe ACK, FIN+RST overlaps, SYN Flood patterns, Previous Segment Not Captured.
    • TLS/SSL: Fatal or Warning alerts, Handshake failures, Expired/Bad Certificates, Unknown CA.
    • HTTP: 4xx/5xx error codes (Bad Request, Unauthorized, Forbidden, Not Found, Internal Server Error, Service Unavailable).
    • ICMP/IP: Destination Unreachable, Time Exceeded, Fragmentation or Duplicate packets. 

1️⃣ TCP Layer Issues 

Flag / EventDescriptionPotential CauseSeverity
RST (Reset)Unexpected connection terminationServer not listening, firewall drop, abrupt app termination🔴 Error
TCP RetransmissionPacket resent due to missing ACKPacket loss, network congestion, faulty hardware🔴 Error
TCP Fast RetransmissionRetransmit triggered by 3+ duplicate ACKsConsistent packet loss, network jitter🟠 Warning
TCP Spurious RetransmissionPacket retransmitted even though original deliveredNetwork jitter, latency spikes, overly aggressive retransmission timer🟠 Warning
TCP Duplicate ACKReceiver repeats ACK for same sequenceMissing packet(s), precursor to retransmission🟠 Warning
TCP Out-of-OrderSegment arrived outside expected sequenceReordering due to congestion, multipath routing🟠 Warning
TCP Zero Window / ProbeReceiver cannot accept more data; probe checks bufferReceiver overwhelmed (CPU, disk, or slow application)🟠 Warning
TCP Zero Window Probe ACKReceiver ACKs probe but window still zeroReceiver buffer still blocked🟠 Warning
TCP Window FullSender cannot send more data due to receiver bufferFlow control bottleneck, slow receiver processing🟠 Warning
TCP Previous Segment Not CapturedGap in sequence numbers detected in captureCapture device overload, asymmetric routing, missing packets🟠 Warning
FIN + RST overlapAbnormal connection closureForced termination by application or error🔴 Error
SYN Flood patternMany SYN packets with no ACKsDenial-of-Service attack or port scanning🔴 Error

 2️⃣ TLS / SSL Layer Issues

Event / AlertDescriptionPotential CauseSeverity
Fatal AlertConnection terminated due to serious TLS errorBad MAC, handshake failure, unsupported parameters🔴 Error
Warning AlertNon-fatal TLS error, connection may continueWeak/deprecated cipher, invalid certificate🟠 Warning
Handshake FailureClient and server could not agree on security parametersCipher mismatch, TLS version mismatch, invalid certificate🔴 Error
Expired CertificateCertificate validity endedMismanagement of certificate, insecure server🔴 Error
Bad Certificate / Unknown CACertificate could not be verifiedMissing trust chain, self-signed certificate🔴 Error

 3️⃣ HTTP Layer Issues

Status / EventDescriptionPotential CauseSeverity
HTTP 400 Bad RequestInvalid request syntax or parametersMalformed client request🟠 Warning
HTTP 401 UnauthorizedAuthentication requiredMissing/invalid credentials🟠 Warning
HTTP 403 ForbiddenServer refuses requestInsufficient permissions, IP blocking🟠 Warning
HTTP 404 Not FoundResource not foundIncorrect URL, resource moved/deleted🟠 Warning
HTTP 500 Internal Server ErrorServer-side errorServer misconfiguration, application crash🔴 Error
HTTP 503 Service UnavailableServer overloaded or under maintenanceServer overload, maintenance mode🔴 Error

 4️⃣ ICMP / IP Layer Issues

Event / FlagDescriptionPotential CauseSeverity
ICMP Destination UnreachableHost/network/port unreachableFirewall block, closed port, routing issue🟠 Warning
ICMP Time ExceededTTL expired in transitRouting loop, excessively long path🟠 Warning
IP Fragmentation IssuesPackets fragmented and reassembled incorrectlyMTU mismatch, large UDP packets🟠 Warning
IP DuplicatesDuplicate IP packets receivedNetwork loop, retransmission at lower layer, misconfiguration🟠 Warning

 Validate TCP Lifecycle Compliance

  • Ensure connections follow proper TCP handshake and teardown sequences.
  • Verify full-way connection closure (graceful FIN/ACK) rather than half-closed or forceful RST terminations.
  • Monitor retransmissions, duplicate ACKs, and out-of-order packets — these indicate network or application issues, even if the transaction completes successfully. 

Connections should follow the complete 3-way handshake and graceful 4-way termination.

✅ Healthy Connection

  • SYN → SYN-ACK → ACK (established)
  • FIN → ACK → FIN → ACK (graceful close)

❌ Unhealthy Connection

  • Sudden RST without FIN
  • Half-close (client/server not acknowledging termination)
  • Frequent retransmissions or missing ACKs

Even if a request processing completes, repeated retransmissions or duplicate ACKs point to instability that should be investigated.

Performance and Response Validation

Verify response times are within acceptable boundaries for both inbound and outbound traffic. Monitor buffer conditions, window sizes, and flow control anomalies to ensure stable and predictable operation. 

  • Confirm transaction response times are within acceptable limits.
  • Check window sizes and flow control behavior.
  • Validate consistent round-trip times without spikes or delayed ACKs.
  • Investigate buffer stalls or persistent zero windows.

A successful transaction should also be efficient, not just correct. 

Integrate Validation into Development and Delivery

To operationalize these checks, I suggest the following best-practice approach:

  • Integrate Short Wireshark Traces in Development/Testing
    • For any new device, hardware series, or connectivity logic changes, capture 2–3 minute traces during functional tests.
    • Validate TCP lifecycle, Layer 4 and Layer 7 behavior, retransmissions, duplicate ACKs, Zero Window events, and TLS/HTTP errors.
  • Include Trace Analysis in Deliverables
    • Create a simple summary (1–2 slides or a small table) for each release highlighting:
      • Transaction times within acceptable boundaries
      • Any negative/problematic events detected in traces
      • Notes on graceful vs. forceful connection closure
    • Include this summary as part of the product delivery checklist.
  • Standardize Routine Post-Change Checks
    • Make this a mandatory step for all connectivity-related releases, ensuring both product engineering and QA teams review traces before production rollout.
    • This ensures early detection of network or application-level issues without relying solely on support or production monitoring. 

Summary Checklist 

StepObjectiveOwner
Capture short packet tracesValidate TCP/TLS/HTTP flow healthDev / QA
Review for negative eventsDetect retransmissions, RSTs, alertsDev / Infra
Validate TCP lifecycleEnsure graceful open/closeQA / Infra
Include trace summary in release docsDeliver visibility and accountabilityProduct / QA
Perform post-release checksConfirm stability after go-liveNetwork / Infra


Make it part of the product delivery checklist and a mandatory post-change verification step. Adhering to these practices ensures early detection of network or application issues, reduces wasted triage effort, and establishes repeatable engineering standards. All teams are requested to circulate this guidance within their groups and integrate packet-level validation into development, testing, and release workflows. 

Saturday, October 4, 2025

Understanding TCP Flags: The Control Bits of TCP Connections

Transmission Control Protocol (TCP) is one of the pillars of internet communication. It ensures reliable, ordered, and error-checked delivery of data between systems. Behind the scenes, TCP relies on flags — small control bits in the TCP header — to manage the lifecycle and flow of a connection.

These TCP flags signal events such as connection setup, acknowledgment of data, or termination of a session. Without them, the reliable communication we take for granted wouldn’t be possible.

TCP flags may only be single bits in a header, but they play a critical role in how the internet functions. From establishing connections to managing congestion and closing sessions, these control bits define the entire TCP lifecycle.

Whether you’re analyzing network packets with Wireshark, troubleshooting a connection issue, or just curious about how the internet really works — understanding TCP flags is essential.

The TCP header contains several one-bit boolean fields known as flags used to influence the flow of data across a TCP connection. Ignoring the CWR and ECE flags added for congestion notification, there are six TCP control flags. Four of these (SYN, FIN, ACK, RST) are used to control the establishment, maintenance, and tear-down of a TCP connection.

Acronym

Name

Meaning

SYN

Synchronization

Used to create a TCP connection (Initiates a connection)

ACK

Acknowledgment

Used to acknowledge the reception of data or synchronization packets

PSH

Push

Instruct the network stacks to Bypass the buffering(MSS size) I,e Asks to push the entire buffered data to receiving application immediately

URG

Urgent

Indicates out-of-band data that must be processed by the network stacks before normal data I, Bypass the queue

FIN

Finish

Gracefully terminate the TCP connection

RST

Reset

Immediately terminate the connection and drop any in-transit data

 

What Are TCP Flags?

Each TCP packet has a header that contains several fields, including flags (control bits). These flags are 1-bit markers that indicate how a packet should be interpreted. By setting or clearing these bits, devices coordinate connection states, error recovery, and data transfer behaviors. 

The 6-bit Flags field is used to relay control information between TCP peers. The possible flags include SYN, FIN, RESET, PUSH, URG, and ACK.

  1. URG: Urgent pointer is valid
  2. ACK: Acknowledgement Number is valid
  3. PSH:  PUSH Flag
  4. RST: Reset the connection
  5. SYN: Synchronize sequence numbers
  6. FIN:  Sender is finished with sending
  • The SYN and FIN flags are used when establishing and terminating a TCP connection, respectively.
  • The ACK flag is set any time the Acknowledgement field is valid, implying that the receiver should pay attention to it.
  • The URG flag signifies that this segment contains urgent data. When this flag is set, the UrgPtr field indicates where the non-urgent data contained in this segment begins. The following bytes contains an utgent message in the range: (SeqNo <= urgent message <= SeqNo+urgent pointer)
  • The PUSH flag signifies that the sender invoked the push operation, which indicates to the receiving side of TCP that it should notify the receiving process of this fact. Normally set by sender when the sender’s buffer is empty
  • Finally, the RESET flag signifies that the receiver has become confused and so wants to abort the connection. 


 
Synchronization (SYN) – It is used in first step of connection establishment phase or 3-way handshake process between the two hosts. Only the first packet from sender as well as receiver should have this flag set. This is used for synchronizing sequence number i.e. to tell the other end which sequence number they should accept. During the 3-way handshake we are able to count a total of 2 SYN flags transmitted, one by each host. 
  • Purpose: Initiates a TCP connection.
  • Usage: Part of the three-way handshake (SYN → SYN-ACK → ACK).
  • Example: When your browser connects to a web server, it first sends a SYN packet. 
  • Wireshark View : tcp.flags.syn == 1 && tcp.flags.ack == 0 
 
 
 
Acknowledgement (ACK) – It is used to acknowledge packets which are successful received by the host. The flag is set if the acknowledgement number field contains a valid acknowledgement number.  
  • Purpose: Confirms receipt of data.
  • Usage: Present in almost all TCP segments after the connection is established.
  • Example: If Host A sends data, Host B responds with an ACK to confirm successful receipt.

After the connection is established, data is sent and acknowledged by both sides. Each peer in the connection maintains a couple of counters:

  • The sequence counter, which counts the number of bytes sent
  • The acknowledgment counter, which counts the number of bytes received

 

The following sequence diagram illustrates how this works:

The number of bytes that have been sent but not acknowledged yet is called the “TCP window.” There are actually two TCP windows, one for each peer in the TCP connection. In the diagram above, the TCP window before the right side’s last packet is 90 bytes. The size of TCP windows is limited to 65,535 bytes in the original TCP specification, but this can be increased through TCP extensions.

A packet with the ACK flag set is used to acknowledge the bytes received by a peer. It is used in combination with the acknowledgment counter to inform the other peer of the last bytes received. This information is then used to determine whether some packets have been lost, in which case the sending peer will retransmit the lost packets.

  
Finish (FIN) - Graceful termination

 It is used to request for connection termination i.e. when there is no more data from the sender, it requests for connection termination. This is the last packet sent by sender. It frees the reserved resources and gracefully terminates the connection. 

One peer of the TCP connection can signal to the other that it wants to terminate the connection by sending a packet with a FIN flag. The other side then acknowledges that by sending a packet with both the FIN and ACK flags set and can then proceed to terminate its side of the connection. This four-way handshake is illustrated in the diagram below:

When the connection is terminated, any buffered or in-transit data will still be processed. In fact, any peer that didn’t send a FIN packet is still allowed to send data. This is rare in practice, as a higher-level protocol (HTTP, for example) usually has its own mechanism to signal that the connection is ending and that no more data needs to be sent by either side.

  • Purpose: Gracefully ends a connection.
  • Usage: Used when one side has no more data to send.
  • Example: After a file transfer is complete, the sender transmits a FIN flag to signal termination.
  • Wireshark View : tcp.flags.fin == 1 

 

Reset (RST) – Aborting a connection

Either side of the TCP connection can decide to abort the connection. This is done when the peer in question believes the connection should not exist for some reason. In such a case, one peer sends a packet with the RST flag set. The other peer, upon reception of the RST packet, must immediately stop sending any data.

When a connection is aborted in such a way, data in transit and buffered data is lost. So there is the potential for data loss, but this shouldn’t be a problem if this connection wasn’t valid to start with. RST packets are rare in real life and are probably used more for nefarious purposes than legitimate ones.

It is used to terminate the connection if the RST sender feels something is wrong with the TCP connection or that the conversation should not exist. It can get send from receiver side when packet is send to particular host that was not expecting it. 

  • Purpose: Immediately terminates a connection.
  • Usage: Used when something goes wrong (e.g., data sent to a closed port).
  • Example: If you send data to a port where no service is listening, the host replies with an RST. 
  • Wireshark View : tcp.flags.reset == 1 

Aspect

FIN (Finish)

RST (Reset)

Connection Termination

Graceful

Abortion

Termination Process

Uses a 4-way handshake (FIN → ACK, FIN → ACK)

Immediately closes the connection without handshake

Buffered Data

No data loss – remaining data is transmitted before closing

Data is discarded/dropped – in-flight data may be lost

Typical Usage

Normal TCP connection closure (e.g., after HTTP response, file transfer, email delivery)

Errors, invalid packets, closed ports, attacks, or out-of-ordinary connection events

Behavior

Signals: “I’m done sending, but I’ll still receive until you’re done.”

Signals: “Stop right now, something’s wrong.”

Impact on Applications

Application sees a clean end-of-stream (EOF)

Application may see an abrupt error or timeout

Wireshark Filter

tcp.flags.fin == 1

tcp.flags.reset == 1

Example

After downloading a file, the server sends a FIN to close politely

Connecting to port 81 on a server with no service listening results in an RST

  Push (PSH) – Bypass Sending/Receiving Buffer Size(MSS) For Pushed Data

The PSH flags instruct the operating system to send (for the sending side) and receive (for the receiving side) the data immediately. In other words, this flag instructs the operating system’s network stack to send/receive the entire content of its buffers immediately without waiting for the buffer (MSS) to become full on both sender and receiver end. 

TCP operates at layer four of the OSI model; it presents to upper layers a simple socket which can be read from and written to, masking the complexities of packet-based communications. To allow applications to read from and write to this socket at any time, buffers are implemented on both sides of a TCP connection in both directions.

When an application layer sends the data, it is temporarily queued in the TCP buffer, a special area in the memory, until the segment has reached a certain size (called MSS). So if we send a character it won't send it immediately but Transport layer by default waits for some time for application layer to send enough data equal to maximum segment size (MSS) and is then sent to the receiver so that the number of packets transmitted on network minimizes. When the segment arrives at the receiving end, it is placed in the TCP incoming buffer before it is passed onto the application layer. The data queued in the incoming buffer will remain there until the other segments arrive and, once this is complete, the data is passed to the application layer that's waiting for it.

 The purpose of the PSH bit is to tell TCP that do not wait for the buffer to become full and send the segment immediately to network layer as soon as it receives signal from application layer. Similarly when the receiver receives the segment with PSH flag set, should forward the data immediately to the application layer without waiting for the receive buffer to become full.

 This design guarantees that the data transfer is as efficient as possible, without waisting time and bandwidth by creating multiple segments, but combining them into one or more larger ones.It is not desirable by some application like interactive applications (chatting) I,e when we want data to go straight on the wire without any waiting time then there the PUSH function comes in. If we PUSH data then the TCP will immediately create a segment (or a few segments) and push them. But the story doesn't stop here. When the peer TCP receives the data, it will naturally buffer them it won't disturb the application for each and every byte. Here's where the PSH flag kicks in. If a receiving TCP sees the PSH flag it will immediately push the data to the application.

The practical example of this is the telnet application where the application sends data in the form of few keystrokes. The telnet will become unusable if it waits for the buffer to become full and then transits the data to the receiver. One more example is real player, where data must be sent and processed (by the receiver) immediately to ensure a smooth stream without any cut offs.

There's no API to set the PSH flag. Typically it is set by the kernel when it empties the buffer I,e the buffer used at sender side has been emptied in conjunction with sending the packet. This particular flag is used quite frequently at the beginning and end of a data transfer, affecting the way the data is handled at both ends. When the packet with the PSH bit field set left the sender, the sender had no more data to send.

The socket that TCP makes available at the session level can be written to by the application with the option of "pushing" data out immediately, rather than waiting for additional data to enter the buffer. When this happens, the PSH flag in the outgoing TCP packet is set to 1 (on). Upon receiving a packet with the PSH flag set, the other side of the connection knows to immediately forward the segment up to the application. To summarize, TCP's push capability accomplishes two things:

  • The sending application informs TCP that data should be sent immediately.
  • The PSH flag in the TCP header informs the receiving host that the data should be pushed up to the receiving application immediately.

 

 

  • Purpose: Instructs the receiver to deliver data to the application immediately.
  • Usage: Ensures no unnecessary buffering delays.
  • Example: Used in interactive applications like SSH or Telnet, where keystrokes must appear instantly.
  • Wireshark View: tcp.flags.push == 1 

Urgent (URG) – Bypass Sending/Receiving Queue For Urgent Data

This flag is used to identify incoming data as 'urgent'. Such incoming segments do not have to wait until the previous segments are consumed by the receiving end but are sent directly and processed immediately.

This flag is used to identify incoming data as 'urgent'. Such incoming segments do not have to wait until the previous segments are consumed by the receiving end but are sent directly and processed immediately.

An Urgent Pointer could be used during a stream of data transfer where a host is sending data to an application running on a remote machine. If a problem appears, the host machine needs to abort the data transfer and stop the data processing on the other end. Under normal circumstances, the abort signal will be sent and queued at the remote machine until all previously sent data is processed, however, in this case, we need the abort signal to be processed immediately.

By setting the abort signal's segment Urgent Pointer flag to '1', the remote machine will not wait till all queued data is processed and then execute the abort. Instead, it will give that specific segment priority, processing it immediately and stopping all further data processing.

 Real-life example:

At your local post office, hundreds of trucks are unloading bags of letters from all over the world. Because the amount of trucks entering the post office building are abundant, they line up one behind the other, waiting for their turn to unload their bags. As a result, the queue ends up being quite long. However, a truck with a big red flag suddenly joins the queue and the security officer, whose job it is to make sure no truck skips the queue, sees the red flag and knows it's carrying very important letters that need to get to their destination urgently. By following the normal procedures, the security officer signals to the truck to skip the queue and go all the way up to the front, giving it priority over the other the trucks. In this example, the trucks represent the segments that arrive at their destination and are queued in the buffer waiting to be processed, while the truck with the red flag is the segment with the Urgent Pointer flag set.

Data inside a segment with URG = 1 flag is forwarded to application layer immediately even if there are more data to be given to application layer. It is used to notify the receiver to process the urgent packets before processing all other packets. The receiver will be notified when all known urgent data has been received.

The URG bit, if set prioritizes the data, meaning thereby instead of waiting for the entire byte stream to be transmitted which is ahead of the "Urgent" data, the urgent data will be sent on urgent basis and will not wait for the entire byte stream to be transmitted which is ahead of it. When the URG bit is set the Urgent Pointer is also set (in the TCP header Options field: 16 bit). The URG pointer tells how many bytes of the data is urgent in the segment that has arrived. (Example if the data size is 100 bytes and only first 50 bytes is urgent, the urgent pointer will have a value of 50). When you send urgent data, your TCP creates a special segment in which it sets the URG flag and also the urgent pointer field. This causes the receiving TCP to forward the urgent data on a separate channel to the application (for instance on Unix your process gets a SIGURG). This allows the application to process the data out of band¹.

The URG flag is used to inform a receiving station that certain data within a segment is urgent and should be prioritized. If the URG flag is set, the receiving station evaluates the urgent pointer, a 16-bit field in the TCP header. This pointer indicates how much of the data in the segment, counting from the first byte, is urgent.

The URG flag is used to signal “urgent” data that should be prioritized over non-urgent data. This is used to send so-called “out-of-band data,” which is treated in a special way by the operating system and usually signals some kind of exception in the application protocol. Note that in practice, this feature of TCP is seldom used.

public void sendUrgentData(int data) throws IOException
public void setOOBInline(boolean on) throws SocketException
public boolean getOOBInline() throws SocketException
  • Purpose: Marks data as urgent, requiring priority processing.
  • Usage: Works with the Urgent Pointer field to highlight critical data.
  • Example: Rarely used today, but was historically important for signaling interrupts.

Difference between PUSH and URG

Suppose the receiving buffer has already some data to be processed by the application. A segment with the PSH flag set to 1 is sent now. The sending buffer will not wait to be filled, instead, it will immediately push the entire data of its buffers into the wire. Now, this data will queue up behind the already non-processed data in the receiving buffer. After the previous data is processed then only the data with PSH=1 can be forwarded to the application on receiver end.

When URG is set, the data can be immediately forwarded to the application ignoring the already existent data in the receiving buffer. In other words, URG=1 violates the FIFO structure.

The major difference between PSH=1 and URG=1 is that the former follows the ordering of the data in the receiving buffer whereas the latter doesn't and that's why the name is URG i.e. to send urgent data.

 

PSH flag will carry the buffer memory size, where the URG flag will carry the address of that memory. PSH flag will help the packet transmission little bit faster. URG flag is only used for when any urgently required packet is send to the destination or server.

 

PSH

URG

All data in buffer to be pushed to NL(sender)/AL(receiver)

Only the urgent data to be given to AL immediately

Data is delivered in sequence I,e follows the ordering of the data in the receiving buffer.

Data is delivered out of sequence I,e ignoring the already existent data in the receiving buffer

PSH=1 follows the FIFO structure.

URG=1 violates the FIFO structure.

It Bypass the buffer size I,e not wait until buffer to get full of MSS size on sender and receiver end. Sender will send entire buffered content immediately and receiver also forward entire buffer content immediately. But this data will queue up behind the already non-processed data in the receiving buffer. After the previous data is processed from buffer then only the data with PSH=1 can be forwarded to the application on receiver end.

  

It Bypass the Queue in order to send and receive urgent data. This causes the receiving TCP to forward the urgent data on a separate channel to the application.

No separate channel will get created on receiving TCP to forward the buffered data to application.

A Separate channel will get created to forward urgent data from buffered data to application.

ECE (ECN Echo) and CWR (Congestion Window Reduced)

  • Purpose: Handle congestion control with Explicit Congestion Notification (ECN).
  • Usage:
    • ECE: Signals that congestion was experienced.
    • CWR: Sent by the sender to acknowledge that it reduced its congestion window.
  • Example: Helps prevent packet drops by adapting transmission rates under heavy traffic.
  • Wireshark View : tcp.flags.ecn == 1 

Putting It All Together: A Typical TCP Lifecycle

  • Connection Establishment (3-Way Handshake):
    • SYN → SYN-ACK → ACK
  • Data Transfer:
    • ACK confirms delivery
    • PSH ensures real-time transmission when required
  • Congestion Handling:
    • ECE and CWR help balance traffic load
  • Connection Termination:
    • Graceful shutdown with FIN
    • Abrupt termination with RST 

 TCP Flags Quick Reference Table with examples included:

Flag

Full Form

Purpose

Typical Use Case

Example

SYN

Synchronize

Initiates a connection

Connection handshake

When you open a browser and visit https://example.com, your system sends a SYN packet to the server.

ACK

Acknowledgment

Confirms receipt of data

Data acknowledgment

After receiving a web page chunk, your computer sends an ACK back to the server.

FIN

Finish

Gracefully closes a connection

End of data transfer

After a file download completes, the client sends a FIN to indicate no more data will be sent.

RST

Reset

Abruptly ends connection

Error / closed port

If you connect to port 81 on a server where no service is listening, it replies with an RST.

PSH

Push

Deliver data immediately to application

Interactive sessions

In SSH, when you press a key, a PSH ensures the keystroke is sent to the remote host without delay.

URG

Urgent

Prioritize urgent data

Legacy signals

Telnet once used URG to send interrupt commands (Ctrl+C) immediately.

ECE

ECN Echo

Reports congestion

ECN-enabled networks

A router experiencing congestion sets ECN, and the receiver returns an ECE flag to notify the sender.

CWR

Congestion Window Reduced

Acknowledges congestion handling

ECN acknowledgment

After receiving ECE, the sender reduces its window and marks the next packet with CWR.

 Difference Between PSH and URG Flags

Aspect

PSH (Push)

URG (Urgent)

Purpose

Ensures data is delivered immediately to the application (no waiting for buffer fill).

Marks part of the data stream as urgent, using the Urgent Pointer field.

Scope

Affects all data in the segment – tells the receiver to push buffered data up.

Applies only to a portion of the data marked as urgent.

Use Case

Interactive or real-time applications (e.g., SSH, Telnet, chat).

Sending interrupt or control signals (e.g., abort/kill command in Telnet).

Modern Usage

Still relevant in real-time/low-latency communications.

Rarely used today; largely obsolete in modern protocols.

Example

When you press a key in SSH, PSH ensures the keystroke reaches the server immediately.

In legacy Telnet, pressing Ctrl+C would set URG to signal an interrupt.

 Difference Between RST and FIN Flags

Aspect

FIN (Finish)

RST (Reset)

Purpose

Gracefully closes a TCP connection.

Abruptly terminates a TCP connection.

Behavior

Tells the peer: “I have finished sending data, but I can still receive.”

Tells the peer: “Something went wrong, stop immediately.”

Connection State

Allows a proper four-way handshake to close the session.

Immediately drops the connection without a handshake.

Use Case

Normal end of a session (e.g., after file transfer or HTTP response).

Error conditions, invalid packets, closed ports, or abnormal termination.

Impact on Data

Ensures all in-flight data is delivered before closing.

Discards any in-flight data — data may be lost.

Example

After downloading a file, the server sends a FIN to close the session cleanly.

If you connect to a closed port on a server, it responds with an RST.

Wireshark Filter

tcp.flags.fin == 1

tcp.flags.reset == 1