The endpoint and conversation summary contains a list of all Ethernet, IPv4/IPv6 endpoints and conversations, plus TCP/UDP conversations. It is similar to the endpoint and conversations statistics of Wireshark, but all in one form and for all the files currently listed in the file list (that have been scanned first, of course). The number in brackets behind the header tab caption is the amount of lines the according list contains. All columns can be sorted by clicking on the column headers.
What is special about the communication summary is that it is created from the deep scans of all files in the current file list, so it shows an aggregated view over all files. This means that e.g if a TCP conversation starts in one file, continues over the next and ends in the third file it will only be listed once. All counters will reflect the totals of that conversations. So if you close the conversation summary, remove a file from the list and open the summary again, you'll see its lines have changed accordingly.
While scanning the files for endpoints and conversations TraceWrangler automatically detects and records the following attributes:
- Count and indexes of interfaces packets for the endpoint or conversation were captured on
- Conversations that are only flowing in one direction (often indicating trouble with the capture setup)
- Frame out-of-order, meaning that there are negative delta times between at least two packets of a conversation. For more information, take a look at my blog post here. If this is diagnosed, the status column will show a message telling you that there were out-of-order frames instead of TCP conversation status.
- Conversations that span multiple files
- Conversations where the Ethernet frame has trailing bytes after the normal TCP/UDP/IPv4/IPv6 payload
- Hard slicing, meaning that the frame was only captured partially and the information about the original length is lost. This usually leads to a lot of TCP expert warnings in Wireshark because the TCP dissector thinks that segments are missing.
The TCP conversations are special, because they add two columns that are rarely seen in other tools: Initial RTT and Status.
Initial RTT: Initial RTT is the duration of the TCP three way handshake. It is quite important because it can be used to verify TCP behavior, especially when it comes to lost segments and retransmissions. It can also show conversations that have issues with latency or packet loss just by sorting for high values. The conversation list shows Initial RTT in seconds.
Status: TraceWrangler keeps track of the TCP connection setup and tear-down. There are a couple of possible values, most of them verified by checking sequence numbers, which will be shown in the status column:
- No Handshake, no teardown: no SYN flags was seen for this connection, so neither SYN nor SYN/ACK were found. Also there was no FIN or RST at the end.
- SYN sent: only a SYN packet was seen, but no SYN/ACK
- SYN/ACK sent: a SYN/ACK packet was seen, but no SYN before that
- SYN Two Way: both IPs have sent a SYN packet for the same conversation ("Simultaneous initiation"/"four way handshake", see page 32 of RFC 793), but there was no SYN/ACK from either side
- TCP half open: SYN and SYN/ACK were seen and are correct, but no ACK was found. Handshake is incomplete.
- SYN rejected: a SYN packet was seen but answered by a reset packet, refusing the connection
- Handshake complete: a full three was handshake was observed, but no FIN or RST at the end of the connection, so parts are probably missing at the end
- Handshake complete after multi SYN retry: same as "Handshake complete", but there were two or more SYN packets before the SYN/ACK was seen. This points to the server not accepting incoming connections right away, or packet loss of the initial SYN packet.
- Handshake complete after initial SYN reject: this is a very unusual connection, because the server rejected at least one SYN packet with an RST packet before accepting the same connection for another SYN packet
- Handshake and Teardown: a full three way handshake was observer, and a FIN or RST at the end. This may not be a complete FIN/ACK/FIN/ACK, as TraceWrangler just cares if there is at least one FIN. This status may also be seen with "multi SYN retry" or "initial SYN reject" attribute.
- Teardown: when a handshake wasn't seen but packets of an active conversation followed by a FIN or RST at the end.
- New socket closed due to client inactivity: this indicates that a TCP three way handshake was completed, but not data was transfered before tearing down the session again. The delta time between established session and teardown must be at least twice the iRTT.
Additional status messages may appear that aren't directly related to the TCP layer, but may be of interest or impact:
- Spans multiple files: If TraceWrangler detected that a TCP conversation is spanning more than one file it will add a message about it to the status.
- Frames out-of-order: In case a file has out-of-order frames (which usually only happens when capturing on multiple interfaces) it will show a message about that fact instead of the normal TCP status messages. Out-of-order frames prevent detecting the status correctly, so to be able to get the correct status the file needs to be reordered by absolute time stamp first.
- Has Ethernet trailer: if bytes are found after the TCP payload (as indicated by the IPv4/IPv6 payload length) this message will be shown
- IP fragmented: TCP should never be fragmented on the IP layer, but if it is, the status will tell you
- Port reused: if two conversations are seen with the exact same IP and port combination the according list entry will be flagged
A filter field is available in the lower right corner of the status bar. Anything you put in there will be used to match addresses against it for the currently visible list. In case of TCP conversations you can also look for specific status texts. When a filter is active, the current tab shows two numbers (displayed lines and total lines) instead of just the total count. To negate filters it can be specified with a starting "not " or "!". Pressing the escape key clears the filter instantly.
Copy as Shark Filter
A pop up menu is available for all lists, allowing you to copy a Wireshark/tshark display filter for any selected line to the clipboard. When multiple lines are selected a combination filter will be created, including all selected lines.