This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Duplicate RTP packets

0

I have a customer trace that is showing duplicate RTP packets (lost RTP packets shows a negative number). My span session on a Cisco 2940 is only spanning the interface, not the VLAN and is correct:-

monitor session 1 source interface fa0/1

monitor session 1 destination interface fa0/8 encaps dot1q

However, after taking the trace I found that both data & voice all use the same VLAN (OK poor network design).

Is it possible to build a display filter to show the duplicate packets, so as I can set up a color filter to show them?

asked 17 Aug '12, 07:32

KeithFrench's gravatar image

KeithFrench
121115
accept rate: 0%


One Answer:

0

You will need to find a criteria you can filter on. It should be one value for the "originals" and another for the duplicates. If you don't have exact byte-by-byte duplicates this should be possible; often you can use the VLAN ID (if you have duplicate packets on different VLANs) or the TTL (which is usually 1 less after the packet was routed). If you can find a criteria that works for you just right click on the field in the decode and select "Apply as Filter -> selected" to filter the packets. You get the other half by negating the filter.

answered 17 Aug '12, 09:48

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%