Hi can anybody help me find out why when I log into a remote desktop in Lan area in Wireshark shows me always 2 packets with the same sequence number sent from the client. They send in the range of 0.000020. The link below is an illustrative picture. Pakcet 13,14 have same sequence number. Does anyone know why this is happening? http://img151.imageshack.us/i/86983975.jpg/ http://img200.imageshack.us/i/28874023.jpg/ asked 02 Apr '11, 13:48  Steeevee |
5 Answers:
As hansangb pointed out, the IP-ID is your best bet to find out what's happening. The IP-ID (IP Identification) is like a 16-Bit serial number assigned to each packet send by a computer. The IP-ID is often helpful when tracking packets through a NAT gateway - or like your case a "maybe-retransmission". If you captured with a SPAN port Wireshark may see packets twice:
If both packets have the same IP-ID: Voila: It's the same packet. The short delta time suggests that this is, what's happening in your trace. If a routing engine is involved, say if you are working with a Layer 3 switch, the TTL in the IP header will be reduced by 1. When working with a Layer 2 switch the duplicate packets will be absolutely identical. The utility editcap with parameter -d helps to eliminate duplicate packets. When working with editcap I also add the parameter -w to make sure that editcap does not toss out BPDU's (which are expected to be identical and show up every 2 seconds). Good hunting! answered 03 Apr '11, 03:57  packethunter |
No, id of packets are 13 and 14, I do not know why but when I'm on lan that are sent just two in a row with the same sequence number, the delay between this packet is about 0.000020 - 50, the packet goes from me(client) to the RDP server is always sent to 2 times - I mean with the same sequence number, as shown in the accompanying pictures. Thank you for help answered 03 Apr '11, 04:00 Steeevee The "ID" is not the packet number shown in the Wireshark packet list. We are referring to a field in the IP header. Open the IP header in the decode and look for the field "Identification". We want to know if the (hex) number in the field is the same for your packets 13 and 14. (03 Apr '11, 07:37) packethunter Anyone want to tackle this: "the delay between this packet is about 0.000020 - 50" Can we trust anything to 20μs? I tend to get on my soapbox when it comes to using/trusting timings this exact with today's hardware. (05 Apr '11, 05:11) GeonJay |
I am sorry, these packets(13,14) has the same identification number 0x6311, so that was the problem, perhaps it is due to how you write up, I try to connect directly to a PC and see. Thank you very much answered 03 Apr '11, 11:22 Steeevee |
Hi I joined a peer to peer with RDP server without any switch or router and i see in the wireshark the aame problem, 2 packets with the same identification number, do you know why? Thank you very much answered 04 Apr '11, 11:35 Steeevee Can you layout your network?? PC --> ? --> ? --> server Can you fill in the details and tell us where you're capturing from? (04 Apr '11, 18:51) hansangb |
PC -2m patchcord - RDP server, I tried to connect to remote desktop from another PC in the same network and in wireshark 2 identical packets I donť see. Perhaps it is in my notebook, I've got a lot of VPN connections and network adapters installed there answered 05 Apr '11, 01:33 Steeevee 1 Aha! There you go. In the past, having QoS Scheduler (for example) caused duplicate packets. Or it may be due to vpn adapters, or you may be using some other shim that's causing winpcap to capture duplicates. Use editcap.exe from the command line. "editcap.exe -d OriginalFileHere.pcap NewFileHere.pcap" will create the new file w/o duplicates. (06 Apr '11, 18:06) hansangb |
Are the IP ID's the same? You may be capturing it twice (entering and exiting the VLAN)