First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

conversation completeness incomplete 60

  • retag add tags

Hi, I can't find any documentation on this code "60" about "conversation completeness". I've a lot of this incomplete connections. Has Wireshark a service to analyze a problem?

Tom's avatar
1
Tom
asked 2023-12-28 13:59:20 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Would you be so kind as to explain your question?

hugo.vanderkooij's avatar hugo.vanderkooij (2023-12-28 14:34:28 +0000) edit
more
  • delete

What else does it say, beyond code "60"?

Jaap's avatar Jaap (2023-12-28 17:28:06 +0000) edit
more
  • delete

Documentation in the WSUG: 7.5. TCP Analysis

TCP Conversation Completeness

See these Gitlab issues for related discussions:
18911: TCP Completeness elaborate by expand option
19092: TCP Conversation Completeness : FTP created conversations issue

Chuckc's avatar Chuckc (2023-12-29 01:29:02 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

TCP conversation completeness is a bitwise field where the occurance of certain flags over the conversation is recorded and then every packet in the TCP conversation gets that value for conversation completeness. The flags being recorded are:

1 - SYN from client 2 - SYN/ACK from server 4 - bare ACK (any direction) 8 - data (any direction) 16 - FIN (any direction) 32 - RST (any direction)

Which means a TCP conversation with completeness value 60 has seen a bare ACK, data, a FIN and a RST, but no SYN from the client and no SYN/ACK from the server. In short, the capture was started in the middle of the session. That's why it is marked as "Incomplete".

SYN-bit's avatar
18.5k
SYN-bit
answered 2023-12-28 19:16:46 +0000
edit flag offensive 0 remove flag delete link
more

Comments

The bits of that field are defined by Wireshark, not by any protocol, so there's no protocol-level significance to the value 60. It's the individual bits, as per @SYN-bit, that matter; in this case, they mean, as he indicates, that, because the packet capture was started in the middle of the TCP session, Wireshark didn't see the connection being established, it just saw data transferred after the connection was established and then saw the end of the connection (which involved an RST).

Perhaps that field should explain what at least some values mean.

Guy Harris's avatar Guy Harris (2023-12-28 20:36:44 +0000) edit
more
  • delete

Perhaps that field should explain what at least some values mean.

It does, the tree item has a subtree which lists the individual flags. Therefore I asked "What else does it say?", to see if OP is aware of this fact, or guide to it. Whether the (decimal) value has any significance, other than a value to filter on, is debatable IMHO.

Jaap's avatar Jaap (2023-12-29 12:58:28 +0000) edit
more
  • delete

Many thanks to all

Tom's avatar Tom (2023-12-29 16:52:51 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer