Guy Harris wrote:
It could also be used to indicate to things like TCP desegmentation that we've reached EOF so TCP could attempt to desegment things marked DESEGMENT_UNTIL_FIN even though we haven't seen a FIN (see bug 3785). Any memory held hoping for more packets (e.g., the last fragments for reassembly) could be freed at the end of the capture instead of waiting for the file to be closed.
A separate "cleanup" routine, called when the capture is closed, *before* the se_allocated memory is freed, might be useful...
...but it won't solve the problem you mention. *That* might well require an indication to be delivered *on* the last packet, rather than *after* the last packet, which makes it more complicated (especially in a live capture).
My thought here was that the cleanup routine would tell TCP that the EOF
was reached and TCP would then mark all the connections as having
reached FIN.
But it's true that this would only get Wireshark to attempt to dissect
what we have after the last packet _in each connection_ is redissected
(probably when the user clicks on it unless there was some way to force
redissection of certain frames).