This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi can anybody help me find out why when I log into a remote desktop in Lan area in Wireshark shows me always 2 packets with the same sequence number sent from the client. They send in the range of 0.000020. The link below is an illustrative picture. Pakcet 13,14 have same sequence number. Does anyone know why this is happening?

http://img151.imageshack.us/i/86983975.jpg/ http://img200.imageshack.us/i/28874023.jpg/

asked 02 Apr '11, 13:48

Steeevee's gravatar image

Steeevee
1111
accept rate: 0%

Are the IP ID's the same? You may be capturing it twice (entering and exiting the VLAN)

(02 Apr '11, 17:48) hansangb

As hansangb pointed out, the IP-ID is your best bet to find out what's happening.

The IP-ID (IP Identification) is like a 16-Bit serial number assigned to each packet send by a computer. The IP-ID is often helpful when tracking packets through a NAT gateway - or like your case a "maybe-retransmission".

If you captured with a SPAN port Wireshark may see packets twice:

  • First when the packet enters the switch. The process responsible for the SPAN port detects the packets as "yes forward to analyzer port"
  • Then the packet gets processed by the switch and is queued to be transmitted to the next hop
  • The second packet is forwarded to the analyzer port when the packet leaves the switch. That's your second packet.

If both packets have the same IP-ID: Voila: It's the same packet.

The short delta time suggests that this is, what's happening in your trace.

If a routing engine is involved, say if you are working with a Layer 3 switch, the TTL in the IP header will be reduced by 1.

When working with a Layer 2 switch the duplicate packets will be absolutely identical. The utility editcap with parameter -d helps to eliminate duplicate packets. When working with editcap I also add the parameter -w to make sure that editcap does not toss out BPDU's (which are expected to be identical and show up every 2 seconds).

Good hunting!

permanent link

answered 03 Apr '11, 03:57

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

No, id of packets are 13 and 14, I do not know why but when I'm on lan that are sent just two in a row with the same sequence number, the delay between this packet is about 0.000020 - 50, the packet goes from me(client) to the RDP server is always sent to 2 times - I mean with the same sequence number, as shown in the accompanying pictures.

Thank you for help

permanent link

answered 03 Apr '11, 04:00

Steeevee's gravatar image

Steeevee
1111
accept rate: 0%

The "ID" is not the packet number shown in the Wireshark packet list.

We are referring to a field in the IP header. Open the IP header in the decode and look for the field "Identification". We want to know if the (hex) number in the field is the same for your packets 13 and 14.

(03 Apr '11, 07:37) packethunter

Anyone want to tackle this: "the delay between this packet is about 0.000020 - 50"

Can we trust anything to 20μs? I tend to get on my soapbox when it comes to using/trusting timings this exact with today's hardware.

(05 Apr '11, 05:11) GeonJay

I am sorry, these packets(13,14) has the same identification number 0x6311, so that was the problem, perhaps it is due to how you write up, I try to connect directly to a PC and see. Thank you very much

permanent link

answered 03 Apr '11, 11:22

Steeevee's gravatar image

Steeevee
1111
accept rate: 0%

Hi I joined a peer to peer with RDP server without any switch or router and i see in the wireshark the aame problem, 2 packets with the same identification number, do you know why?

Thank you very much

permanent link

answered 04 Apr '11, 11:35

Steeevee's gravatar image

Steeevee
1111
accept rate: 0%

Can you layout your network?? PC --> ? --> ? --> server Can you fill in the details and tell us where you're capturing from?

(04 Apr '11, 18:51) hansangb

PC -2m patchcord - RDP server, I tried to connect to remote desktop from another PC in the same network and in wireshark 2 identical packets I donť see. Perhaps it is in my notebook, I've got a lot of VPN connections and network adapters installed there

permanent link

answered 05 Apr '11, 01:33

Steeevee's gravatar image

Steeevee
1111
accept rate: 0%

1

Aha! There you go. In the past, having QoS Scheduler (for example) caused duplicate packets. Or it may be due to vpn adapters, or you may be using some other shim that's causing winpcap to capture duplicates. Use editcap.exe from the command line. "editcap.exe -d OriginalFileHere.pcap NewFileHere.pcap" will create the new file w/o duplicates.

(06 Apr '11, 18:06) hansangb
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×22

question asked: 02 Apr '11, 13:48

question was seen: 3,806 times

last updated: 06 Apr '11, 18:06

p​o​w​e​r​e​d by O​S​Q​A