This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Ping: Two ping requests but one ping reply

0

Hello,

I have a machine with two different wireless interfaces (two different PCI cards). I run Wireshark and ping another machine in the same LAN. Wireshark displays two ping requests and one ping reply. The echo requests are exactly the same (same source and destination IP, same source and destination MAC address, same TTL, same sequence number, same checksum, everything is the same). Of course I see only one ping reply.

Does anyone have an idea about this behavior? Any help would be appreciated. Thanks in advance

asked 03 Feb '15, 01:17

johnson91's gravatar image

johnson91
11224
accept rate: 0%

What is your OS and which version and what is your Wireshark version?

(03 Feb '15, 02:41) Jaap ♦

I use Debian GNU/Linux 7.8 (Wheezy) with kernel 3.2.0-4-amd64 and Wireshark Version 1.8.2

(03 Feb '15, 02:56) johnson91

One Answer:

0

This may suggest that packet is traversing via two interfaces

This can happen if you have some kind of a bridge, virtual interfaces or maybe bonding setup and you are running wireshark on all interfaces.

Try specifying just a single interface and if you have virtual ones specified then use closes to the physical device, for example if you have eth0 and eth0:1 pick eth0

answered 03 Feb '15, 09:07

izopizo's gravatar image

izopizo
2024714
accept rate: 0%

edited 03 Feb '15, 09:07

Thanks for your answer. I have to physical interfaces (two different MAC addresses), namely wlan0 and wlan1. These two interfaces are configured so that they belong in two differents VLANs. I use only one interface for capturing (wlan0). The problem remains even if I run ping as "ping -I wlan0 IP_addr". Any suggestions?

(03 Feb '15, 11:41) johnson91

From what you've described (same checksum, sequence number etc) it looks like you are seeing the same packet twice.

As mentioned before I'd investigate network configuration (You've mentioned VLANs, how exactly have you set it up ? )

Also for comparison I'd run tcpdump -nni wlan0 icmp to see if tcpdump also reports two packets.

The fact that you are pinging from a given interface and seeing two packets suggests that additional interface along the way.

(04 Feb '15, 03:06) izopizo

Thanks for replying.

VLANs are configured as follows: One interface has IP 100.100.100.100.x/24 and belongs to VLAN 100.100.100.0/24 and the second interface has IP 200.200.200.y/24 and belongs to VLAN 200.200.200.y/24.

I run tcpdump -nni wlan0 icmp and I have exactly the same output, as with Wireshark.

(05 Feb '15, 02:17) johnson91

Can you paste output from ip a ls and iwconfig

(05 Feb '15, 07:48) izopizo