Anyone have tips to offer in terms of programmatically identifying traces containing the signature of a Layer 2 loop? Generically, I'm wanting to identify trace files which contain frames for which the IP Ident number is identical -- suggestive of a Layer 2 loop. ip.id=={duplicated somewhere} might be how the filter would be written ... though I rather doubt this would be implementable in Wireshark (would require Wireshark to build a hash of IP Ident numbers, which seems like a strenuous exercise). I suppose the quick & dirty approach would be to export the Summary line (after including ip.id as a column) to a csv file, then load that into a spreadsheet, sort on the IP Ident column. And visually ignore all those protocols which set IP Ident to '0'. I want to do this over directories of traces, so I predict that I'm headed toward writing code. But before I do that, I wanted to ask: anyone have a tip on programatically identifying loops via some signature in a trace file? [IP Ident number ... DHCP transaction ID ...] --sk asked 03 Oct '16, 04:56  skendric |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
This seems to be a MATEable task (which means that tshark could give you a list of the duplicates directly) provided that you can extend the criteria to identify a duplicate, as the 16-bit
ip.idalone may be the same in totally unrelated packets as it is only valid in the context of source and destination IP tuple. Also bear in mind that theip.idis originally used to link together packet fragments, so you'll need to define a rule to ignore false positives (second and higher segments of the same packet are not looped but theip.src, ip.dst, ip.idis the same for them).It's common to have layer 2 traffic (i.e. ARP) causing the loop as well, as some of it is broadcast. ip.id won't match in this case as there is no IP header. For this, I look for very rapid broadcast ARP requests for the same or same set of IP addresses.
I suspect loops when I get a sudden increase in traffic from the network management system which tends to be a step change in throughput. It is then proveable from a packet capture using techniques like you suggest, and also some others when dealing with layer 2 traffic.
I think editcap uses a hash checksum for the entire frame to detect duplicate packets.
During a loop I think you will only see Broadcasts or packets that are flooded, due to the learning phase of a switch.