Sunday, October 5, 2025

Understanding Wireshark’s TCP Conversation Completeness: What It Really Tells You

Understanding “TCP Conversation Completeness” in Wireshark

A Deep Dive into What It Really Means (and What It Doesn’t)

When analyzing TCP packet captures in Wireshark, you may have noticed a column or field called “TCP Conversation Completeness.” It often shows up as a numerical value — 7, 15, 31, 63, and so on — and many engineers assume it reflects the health of a TCP connection or compliance with RFC 793.

However, that’s not what it is.

TCP Conversation Completeness is a Wireshark-specific analytical feature, not a TCP protocol metric or a network standard. It tells you only what Wireshark observed in the packet trace — not necessarily what happened on the wire end-to-end.

In this article, we’ll break down how Wireshark computes it, what the values mean, how incomplete captures can distort it, and how to correctly interpret it in real-world troubleshooting.

TCP Conversation Completeness” is like Wireshark’s health summary for a TCP connection —
useful for triage, not for truth 

 

This critical TCP-layer metric that can significantly enhance how we validate the health of incoming client connections. The parameter is called “Conversation Completeness”, and while it may sound like a technical jargon, it is a highly effective diagnostic for analyzing connection integrity. This metric helps us categorize TCP conversations into meaningful states, such as: 

๐Ÿ”ด Incomplete: Handshake not completed (e.g., SYN sent but no ACK)
๐ŸŸ  Partial Data: Handshake succeeded, but data exchange was interrupted
๐Ÿ”ฅ Reset Immediately: Connections rejected abruptly (RST seen)
⏱️ Late SYN-ACK: SYN and SYN-ACK seen, but final ACK from client is missing(Common under high latency, packet loss, or asymmetric routing issues)
No Data: Clean handshake and closure, but no application data transferred
๐ŸŸข With Data: Full connection with data exchanged and properly closed
⚠️ Duplicate Conversations: Multiple flows for the same connection(May indicate monitoring artifacts or NAT reuse)

To assess connection health, we’ve classified traffic into the following TCP health buckets: Healthy TCP % = Sum of all Complete, WITH_DATA codes (31, 47, 63) divided by Total.

๐ŸŸข Green (Excellent): ≥ 97.5%, ๐ŸŸก Yellow (Good): 90–97.49%, ๐ŸŸ  Amber (Moderate): 70–89.99%, ๐Ÿ”ต Blue (Below Average): 50–69.99%, ๐Ÿ”ด Red (Poor): < 50%

Observation for Client 6:

  1. TTL = 126: Suggests Windows OS
  2. Window Size = 8192
  3. Window Scale = 8 (resulting in an effective receive window of 2,097,152 bytes)
  4. MSS = 1338
  5. tcp.completeness == 23:
    1. All 1528 connections (initiated every hour) follow the 3-way handshake — SYN → SYN-ACK → ACK — but then terminate immediately with a FIN,ACK without exchanging any application data or TLS handshake.

 

 What Is TCP Conversation Completeness?

TCP Conversation Completeness means that every TCP connection observed in packet capture has a proper beginning, middle, and end according to the TCP finite state machine.

A complete TCP conversation typically consists of:

  • Three-way handshake — SYN → SYN-ACK → ACK
  • Data exchange — One or both directions transmit data packets with PSH or ACK
  • Graceful termination — A full four-way FIN/ACK handshake, ensuring both sides close cleanly

Any deviation — like missing handshakes, abrupt resets, or unacknowledged FINs — indicates incomplete conversation(s). 

TypeDescriptionExample Frames (Wireshark)Remarks
Complete ConversationFull SYN, data exchange, and 4-way FIN/ACK closure observedSYN → SYN-ACK → ACK → [Data] → FIN → ACK → FIN → ACKIdeal, healthy connection
Incomplete (Reset)Connection aborted using RST instead of FINSYN → SYN-ACK → ACK → [Data] → RSTApplication error or abrupt termination
Incomplete (Unidirectional FIN)One side closes, the other doesn’tSYN → SYN-ACK → ACK → [Data] → FIN → ACK (missing other FIN)Peer-side timeout or closure mismatch
Handshake IncompleteSYN sent but never acknowledgedSYN (no SYN-ACK)Port closed, firewall drop, or routing issue
Midstream ResetData exchange occurs, then abrupt RSTSYN → SYN-ACK → ACK → [Data] → RSTCommon during protocol mismatch, timeout, or app crash

 Wireshark tracks the lifecycle of each TCP connection based on the flags it sees during capture:

TCP EventDescription
SYNConnection initiation by client
SYN, ACKServer acknowledgment
ACKFinal step of 3-way handshake
DATAApplication payload transfer
FINGraceful close request
RSTAbrupt termination

Wireshark uses these observed events to compute a bitmask value, stored in the field tcp.completeness.

Each bit in this field corresponds to a stage of the TCP conversation. The combination of bits forms a numeric “completeness score” that Wireshark can display as a value or text label.

๐Ÿ“Š Why TCP Completeness Matters

Even when application logs show “Transaction Approved”, incomplete TCP flows can reveal deep network or system issues: 

Impact AreaExample ScenarioHidden Symptom
Load Balancer or FirewallConnection reset due to idle timeoutApp sees random disconnections
Server ConfigurationKeep-alive disabled or FIN ignoredHalf-open sockets pile up
Client BehaviorApp abruptly closes socketsServer stuck in LAST_ACK
TLS HandshakeClient aborts mid-handshakeSSL failure without clear error
Retransmission StormsMSS or window scaling mismatchSpikes in latency or CPU load

 ๐Ÿง  Anatomy of a Complete vs. Incomplete TCP Conversation

TypeDescriptionCommon Pattern in WiresharkHealth
Complete ConversationFull handshake, bidirectional data, clean 4-way FINSYN → SYN-ACK → ACK → Data → FIN/ACK → FIN/ACKHealthy
Reset TerminationConnection aborted using RSTSYN → SYN-ACK → ACK → Data → RSTApplication crash, firewall reset
⚠️ One-Sided FINOne side closes, peer never repliesSYN → SYN-ACK → ACK → Data → FIN → ACK (no peer FIN)Half-open session
⚠️ Handshake IncompleteNo SYN-ACK receivedSYN onlyPort closed, firewall drop
Midstream ResetReset during data exchangeSYN → SYN-ACK → ACK → Data → RSTTimeout, misbehavior, or mismatch

 

Bitmask Breakdown 

Below is a simplified interpretation of how Wireshark defines the TCP Conversation Completeness bitmask:

DecimalBinaryMeaningTypical Interpretation
1000001SYN seenConnection attempt initiated
3000011SYN + SYN-ACKTwo sides initiated handshake
7000111SYN + SYN-ACK + ACKFull 3-way handshake observed
15001111Handshake + data transferEstablished connection with data
31011111Handshake + data + FINNormal close seen (4-way termination)
63111111Handshake + data + FIN + RSTConnection established, data sent, and reset seen

You can view this value in Wireshark using:

Frame → Expand “Transmission Control Protocol” → Field: tcp.completeness

Or create a column by right-clicking and selecting “Apply as Column”. 

Important Clarification: This Is a Wireshark Construct

“TCP Conversation Completeness” is not defined in any TCP RFC or OSI layer standard.

It’s a Wireshark-level convenience metric designed to help analysts quickly summarize what parts of the TCP lifecycle were seen in the capture — nothing more.

That means it’s entirely capture-dependent, not network-absolute.

Why It Changes with Incomplete or Asymmetric Captures 

If your packet trace is incomplete — due to asymmetric capture, packet drops, or the trace starting/stopping midway — Wireshark’s completeness analysis will change.

Let’s look at some examples:

Example 1: Partial Handshake

If you start the capture after the client has already sent the SYN, Wireshark will only see:

SYN, ACK → ACK

The completeness score will not include the original SYN, so it may show as 3 (incomplete handshake), even though the real network connection is already established.

Example 2: Missing FIN

If you stop the capture before the connection gracefully closes, Wireshark won’t see the FIN packets. The completeness will remain at 15 (handshake + data), even if the TCP connection properly closed afterward.

Example 3: One-Way Capture (Asymmetric Routing)


If your capture is on only one side of the network path (e.g., on the client), you might only see:  

SYN → SYN, ACK (missing)

Wireshark can’t infer that the other side replied — so it’ll report a very low completeness, even though the server did respond in reality.

How to Interpret It Correctly

Think of TCP Conversation Completeness as a summary of what Wireshark observed, not a verdict on whether the TCP session succeeded.

Here’s a practical interpretation table: 

CompletenessMeaning (in Wireshark)What It Might Indicate
1 or 3SYN or SYN+ACK onlyConnection attempt, no response
7Full handshake, no dataIdle TCP connection
15Handshake + dataNormal session, may be truncated
31Handshake + data + FINGraceful closure (4-way handshake complete)
63Includes RSTConnection terminated abruptly

So if you see a 15, it might mean:

  • Normal session without closure, or
  • Capture stopped before FIN was sent, or
  • Server or client didn’t follow graceful termination.

To tell which one applies, inspect the trace context — timestamps, packet directions, and sequence numbers.

Practical Tips for Accurate Completeness Analysis

TipWhy It Matters
Capture both directions (bi-directional)Avoid missing SYN/ACK or FIN/ACK packets
Start capture before the SYNEnsures handshake is included
End capture after FIN/RSTCaptures full closure
Avoid SPAN oversubscriptionPrevents packet drops
Verify with sequence numbersDetect missing data beyond completeness bitmask
Use tcp.analysis.flagsTo correlate retransmissions, dup ACKs, etc.

Combining Completeness with Application Context

While completeness gives a structural view of the TCP session, pairing it with application-layer visibility (e.g., HTTP, TLS, or custom payloads) helps you understand:

  • Was data actually exchanged after handshake?
  • Did the application issue proper FIN?
  • Did the server or client abort the session?

For example:

  • tcp.completeness = 31 with HTTP 200 OK → successful web transaction.
  • tcp.completeness = 63 with TLS Alert: Close Notify → clean TLS closure.
  • tcp.completeness = 15 with RST at end → likely timeout or forced disconnect. 

 Limitations and Common Misinterpretations

MisconceptionReality
“Completeness 63 means fully successful connection.”Not necessarily — it only means all flag types were seen. The session may have ended in RST.
“Low completeness = network failure.”Could simply be partial capture or unidirectional sniffing.
“It’s part of TCP standard.”No — it’s internal to Wireshark’s analysis engine.
“You can use completeness to measure success rate.”Only valid if captures are full and symmetric.

Example Wireshark Display

You can display the completeness column by:

  • Right-clicking on any TCP packet → Protocol Preferences → Apply as Column.
  • Adding a custom column with field name: tcp.completeness
  •  Optionally add color filters:
    • tcp.completeness < 7 → Red (incomplete handshakes)
    • tcp.completeness >= 15 → Green (active connections)
    • tcp.completeness >= 31 → Blue (gracefully closed)

Key Takeaways

  • TCP Conversation Completeness is Wireshark-defined, not TCP-standardized.
  • It indicates what Wireshark has seen, not what truly happened end-to-end.
  • It’s most useful when captures are full, symmetric, and continuous.
  • For meaningful analysis, correlate with timestamps, sequence numbers, and application logs. 

๐Ÿ“ Formula: TCP Conversation Completeness

Wireshark’s tcp.completeness field quantifies the health of each TCP conversation using a bitmask formula.

This numerical code describes which TCP events (SYN, ACK, DATA, FIN, RST) were seen in the capture — allowing analysts to instantly classify whether a connection was complete, partial, or aborted. 

๐Ÿงฎ The TCP Completeness Bitmask

Each observed TCP event contributes a bit value:

BitNameField NameMeaningString Representation
1SYNtcp.completeness.synSYN packet seen (client initiated connection)S
2SYN-ACKtcp.completeness.syn-ackSYN-ACK seen (server responded)SA
4ACKtcp.completeness.ackACK seen (client completed handshake)A
8DATAtcp.completeness.dataApplication data exchangedD
16FINtcp.completeness.finGraceful closure attemptF
32RSTtcp.completeness.rstAbrupt termination/resetR


The bitmask sum of these values represents the “conversation signature.” For instance,

63 (1+2+4+8+16+32) → SYN + SYN-ACK + ACK + DATA + FIN + RST → Ideal complete connection

Main Category

Subcode (Bitmask N)

Subtype Description

Meaning

๐Ÿ”ด Incomplete

2

SYN or mid-flow only

Partial connection, handshake not completed

5 (1 + 4)

SYN + ACK seen, missing ACK or RST

Often blocked or interrupted after handshake

13 (1 + 4 + 8)

Early close after SYN + ACK + ACK

Connection closed immediately after handshake, likely no app activity

35 (1 + 2 + 32)

Handshake + data, no closure

Data exchanged but connection was cut mid-way

37 (5 + 32)

Multiple data packets, no closure

Multiple payloads exchanged, then dropped

38 (1 + 2 + 4 + 32)

SYN + SYN-ACK + ACK + minimal data, drop

Very short data exchange, abruptly interrupted

59 (3 + 8 + 16 + 32)

Long flow, unusual closure

Extended exchange but closed in a non-standard or abrupt manner

62 (2 + 4 + 8 + 16 + 32)

Data + no FIN or RST

Payload sent, but no TCP closure observed

๐ŸŸ  Incomplete, SYN_SENT

1

SYN seen only

Client sent SYN, no server reply

๐ŸŸ  Incomplete, CLIENT_ESTABLISHED

3 (1+2)

SYN + SYN-ACK only

Server replied to SYN, client ACK not seen

๐ŸŸ  Incomplete, ESTABLISHED

7 (1 + 2 + 4)

Full handshake, no data

Connection established, but no traffic exchanged

๐ŸŸ  Incomplete, DATA

15 (1 + 2 + 4 + 8)

Handshake + some data, no closure

Abrupt interruption after data start

35 (1 + 2 + 32)

Extended version of above

Same as 15 but more data packets

37 (1 + 4 + 32)

Repeated mid-stream drops

Slightly longer flows with no closure

๐Ÿ”ฅ Reset Immediately

17 (1 + 16)

SYN followed by RST

Server forcefully rejected connection

⏱️ Late SYN-ACK

33 (1 + 32)

SYN + SYN-ACK only, delayed ACK

Likely network latency or asymmetric capture

Complete, NO_DATA

7 (1 + 2 + 4)

Full handshake, no data

Connection opened, no payload sent

23 (7 + 16)

Full handshake + FIN

Graceful close without application data

55 (7 + 16 + 32)

Handshake + no payload + RST/FIN

Connection established but closed without sending any data

๐ŸŸข Complete, WITH_DATA

31(1 + 2 + 4 + 8 + 16)

Data + one-sided FIN

Clean on one side, the other didn't close

47(1 + 2 + 4 + 8 + 16 + 16)

Data + RST (Reset)

Connection closed abruptly after data

63(1 + 2 + 4 + 8 + 16 + 32)

Ideal connection

Handshake, data exchange, and proper closure (FIN/FIN-ACK)

⚠️ Duplicate Conversations

Varies

Tool-specific overlaps

Multiple rows for the same connection due to parsing

Interpreting the Bitmask Formula 

General Rule:

 TCP_COMPLETENESS = SYN(1) + SYN-ACK(2) + ACK(4) + DATA(8) + FIN(16) + RST(32) 

Wireshark displays this as:

tcp.completeness == <numeric_value>
tcp.completeness.str == <symbolic_string> 

Example Filters:

GoalFilter
Show only complete TCP sessionstcp.completeness == 63
Show incomplete or reset sessionstcp.completeness < 63
Show connections without datatcp.completeness == 7 or tcp.completeness == 23
Show abrupt resetstcp.completeness & 32

๐Ÿ“Š Practical Use in Wireshark

  • Go to Statistics → Conversations → TCP
  • Add the “TCP completeness” column (if not visible)
    • Each flow will show:
    • Numeric bitmask (tcp.completeness)
    • Symbolic representation (tcp.completeness.str)
  • Example:
    •  
  • Sort by completeness to instantly find failed or truncated sessions.

๐Ÿง  Why This Matters for Engineers

The tcp.completeness metric is effectively a conversation fingerprint.
It allows you to:

  • Rapidly distinguish between graceful, reset, and half-open sessions
  • Correlate packet traces with app-layer behavior
  • Quantify TCP health (e.g., “98.9% of TCP sessions reached completeness = 63”)
  • Detect capture gaps, asymmetric routing, or device-level aborts 
ValuePatternMeaning
1 (S)SYN onlyClient attempted, no response
7 (S A A)Full handshake, idleConnection opened, no data
15 (S A A D)Handshake + data, incomplete closeAbrupt stop
31 (S A A D F)Clean on one sideServer/client missing final FIN
63 (S A A D F R)Full, ideal flowHandshake + data + proper closure

 ๐Ÿงท Summary

TCP Conversation Completeness Formula = the DNA of a TCP flow.
Each bit tells part of the story — who spoke first, who replied, who sent data, who closed properly, and who dropped abruptly.

When combined with packet-level validation practices, it transforms Wireshark from a diagnostic tool into a quantitative network quality meter.

No comments:

Post a Comment