This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Remove duplicate packets editcap

0

Hello

We have traces which contain duplicate packets. We clear them with editcap. However some of them include the same frame instance with a VLAN tag and without. Since those 2 are considered different one of them is not removed. Is there a way to do this?

thanks Manolis

asked 19 Oct '15, 13:16

manolis's gravatar image

manolis
6113
accept rate: 0%

edited 19 Oct '15, 21:34


One Answer:

0

If all VLAN tagged frame are duplicates only that just filter these away. But it's probably not that simple...

As of yet there's no way to do that within Wireshark or its tools. You may have luck with other tools, maybe trace wrangler.

answered 19 Oct '15, 13:34

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

TraceWrangler can't do this (yet), but SuperDeduper might, see http://goo.gl/Yy49W3

(19 Oct '15, 13:42) Jasper ♦♦

I thought it could when reading the documentation?

(19 Oct '15, 13:56) Jaap ♦

Hello

Unfortunatelly not. It looks like tcpdump in linux captures and stores frames,,,, 1. sometimes only after the VLAN tag has been stripped,,,, 2. sometimes only with the VLAN tag included,,,, 3. sometimes it captures and shows both frames.

So I'm looking to see if editcap has the ability to compare all other frame data except the VLAN tag and if they match then remove either one ...

Thanks for the suggestions I will try the other trace tools as well :-)

br Manolis

(19 Oct '15, 13:58) manolis

@Jaap: regarding TraceWrangler: yeah it can remove VLAN tags, but not deduplicate based on them. "Removing" means, that the frame is modified by cutting away the VLAN tag bytes, not the whole frame.

(19 Oct '15, 14:01) Jasper ♦♦

Not sure I can find this option in editcap (or wireshark in general). The editcap guide does not even include the word vlan. Any ideas?

(19 Oct '15, 16:11) manolis

@manolis: Please reply with comments instead of new answers. See the FAQ of this site.

(19 Oct '15, 16:22) Kurt Knochner ♦

ok now I got the point. Thanks,,, trying TraceWrangler

(19 Oct '15, 21:31) manolis

@Jasper: Think of it in the Unix way, use one tool for one specific job. So use trace wrangler to strip out the VLAN headers, then the new file will have the duplicates that editcap can go over and deduplicate.

(19 Oct '15, 23:51) Jaap ♦

Thanks so far for the answers.

News: I can only find a windows based version of TraceWrangler. Both 32 and 64 bit versions crash while working on the imported traces and also corrupt the frames during the process.

When I run SuperDeduper I get the msg that it's not a valid windows application. Cannot find any info in the web about this application. Should I run it in linux of somekind?

Any other ideas are welcome.

thanks Manolis

(23 Oct '15, 17:04) manolis
showing 5 of 9 show 4 more comments