Ask Your Question
0

what causes tcp completeness = Incomplete (40). source = 52.159.126.152 (the only packet in the trace file from them)

asked 2025-02-13 15:34:16 +0000

bugChaser gravatar image

updated 2025-02-14 13:42:04 +0000

RST and Data flags = 1. SYN, SYN-ACK or FIN flags all = 0

I had observed a number of [t-ring-fdv2.msedge.net] packets in packet traces from the previous week that appeared to be faulty or suspect of some type of server problem.

I emailed them about these [t-ring-fdv2.msedge.net] 'errors'. I received no reply, (which is pretty typical in my experience) as to the nature or source of the problem. But interestingly the t-ring errors disappeared from my subsequent traces since reporting this.

Now, I have this Incomplete (40) packet from what is a Microsoft server. Anyone ever seen a (40) ?

edit retag flag offensive close merge delete

Comments

same incomplete (40) for a single packet carrying TLS data from Cloudflare server US west coast.

bugChaser gravatar imagebugChaser ( 2025-02-14 14:02:47 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2025-02-16 17:47:09 +0000

André gravatar image

TCP Conversation Completeness = 40 means that the capture containing this TCP stream, only packets with data (8; tcp.completeness.data == True) and TCP-RST (32; tcp.completeness.rst== True) are present.
For example when the complete stream was not captured or as a result of DDOS backscatter.

See 7.5. TCP Analysis, section "TCP Conversation Completeness"

edit flag offensive delete link more

Comments

Thanks for your answer on my observation. It's possible that the pattern -- which seems to repeat at odd intervals, sometimes 3 or 4 days apart -- is indeed a vestige of last summer's Cloudflare internet troubles in the U.S. and elsewhere. As it develops, Microsoft operates some kind of obscure support for non-Microsoft sources to use, based on certificates with the other software sources are clean.

These "40's" are rare and indeed quite odd. Can't help but wonder if there's something amiss with the "*.wns.windows.com" . It is appearing in a few of the packets in different NETSH reboot traces over time, and is closely associated with "http://oneocsp.microsoft.com/ocsp.." (more?).

Am doubtful any Microsoft support will shed any light on this issue. It may be that one (or more) of their servers are experiencing faults caused by either bad certificates they ...(more)

bugChaser gravatar imagebugChaser ( 2025-02-16 18:13:47 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2025-02-13 15:34:16 +0000

Seen: 61 times

Last updated: 2 days ago

Related questions

Microsoft Network Monitor cap file can be opened by Wireshark but save as function is disabled

Conversation completeness: Incomplete, DATA (15)

How can I get FTP conversation completeness values that are even

I need to monitor my connection with openai.com recently it has started failing often. [closed]