I am seeing an ack real quick after the same ack thus wireshark marks it as duplicate. It is the first packet after the original ack. My question is is it normal to have ack this close together. What scenario's would have this kind of traffic. Thank you for your time asked 15 Oct '12, 03:48 dtor |
2 Answers:
Different IP ID and the rest of the packet is identical? Sounds strange... If it was the same IP ID, I would have suggested a problem with your capture setup, e.g. mirroring the whole VLAN on a switch, instead of a single port, which can lead to duplicate packets in some situations. can you please tell us more about your capture setup?
Can you post a small sample capture somewhere (cloudshark.org)? Regards answered 17 Oct '12, 11:17 Kurt Knochner ♦ edited 17 Oct '12, 11:20 Hello Kurt, The capture was made on a router interface which was mirrored. The traffic is within one vlan. I used latest wireshark 1.8 (SVN 45256) /winpcacp 4.1.2 on windows vista. I see what I can do about uploading a capture. (17 Oct '12, 23:25) dtor (18 Oct '12, 01:48) dtor I did not deduplicate this file (18 Oct '12, 02:03) dtor as you can see, all your frames are duplicates. They differ only in the source mac address (77:8f:00 versus 77:8f:2b). The rest is identical. How is your port mirroring configured? Just by chance: Did you enable IP Forwarding on your capturing machine? If so, it will also Layer-2 forward the captured packets, which will lead to duplicate packets. I doubt that, as both mac addresses are from Cisco gear, but without further information about your capture setup it's hard to give any good advice. (18 Oct '12, 03:59) Kurt Knochner ♦ hello kurt, Thanks for looking and commenting on the dump. Regarding the capture setup - I don't have ICS enabled on my vista. - monitor session 1 source interface Gi0/10 monitor session 1 destination interface Gi0/20 (18 Oct '12, 05:08) dtor O.K. then let's have a look at the mac addresses. Do both (00:0f:f8:77:8f:2b and 00:0f:f8:77:8f:00) belong to the router? Are those different interfaces in the same/different VLAN? (18 Oct '12, 05:19) Kurt Knochner ♦ orry I missed "both" so it should be monitor session 1 source interface Gi0/10 both could that be it? Though the traffic is within one vlan (18 Oct '12, 08:16) dtor I can't seem to download the file for some reason. I thought the IP ID's are different? Do you have a trunk on Gi0/10? Perhaps you have one armed routing with VLAN? Coming up via one VLAN and going down via another VLAN? (18 Oct '12, 18:13) hansangb (18 Oct '12, 23:44) dtor This looks like the capture setup is not really working well. We see packets coming from 10.0.0.98 with 2 different MACs while the packets from 10.0.0.113 are duplicated coming from the same MAC. A physical setup diagram could help here, but this is indeed a strange trace. (19 Oct '12, 05:09) Jasper ♦♦ I am thinking that the cisco device is sending the packet twice. I am still to find the port or interface where the 8f:2b mac is originating from. Sounds strange but that's where I am at. I am contacting support regarding this, it must be something I am not doing correctly. (19 Oct '12, 05:41) dtor It turns out to be an interface on the cisco which is used in the monitor session. (24 Oct '12, 00:07) dtor well, then it's
If that interface in any way related to
Is it possible to post the port mirroring config? (29 Oct '12, 04:55) Kurt Knochner ♦ showing 5 of 13 show 8 more comments |
I too am seeing this behavior. I'm running a packet capture in VMware (seen in both 4 and 5) to watch specific hosts with capture filters. I see up to 31 duplicate packets at a time (the fewer the number of dups in the set the more frequently I see the issue) and these are on 2 minute captures. In one case it's between 2 servers (vm's) in another between a client (desktop) and server (vm). I have never seen this type of behavior before but now that I'm seeing it in repeated locations throughout the network I'm getting concerned. Anyone have any ideas as to why so many packets with such small delta's? Thanks! Craig answered 04 Dec '12, 13:47 Craig |
Once scenario would be that you're capturing the same packet twice. You can check by looking at IP ID. See if they are the same. Let's rule out the most likely suspect first.
With that timing, I bet Hansang is right - should be a duplicate. Use editcap -d (command line tool installed with Wireshark) to deduplicate your trace first.
Ok, I did a editpcap -d and lost 3 packets in the stream but the Dup ack is still there:
if I look under IP > Identification they both are different the delta time is 0.000004 seconds if I set the REF on the ack above it.