This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP Retransmission is detected instead of a duplicate ip packet

0
1

Hi,

I expect that there is a wrong TCP-retransmission detected where wireshark should detect a duplicate ip packet. We would like a possibility to filter out any duplicate ip packets (means same IP-Identification in a flow) caused by mirroring multiple interfaces on a switch at the same time (eg. before and after a firewall). The packets are different on L2 but are the same on Layer3 except TTL,.. To filter TCP-Retransmission could change the real traffic as it could be a normal tcp-retransmission.

Does anybody how to filter out any duplicated ip packets?

Regards C

This question is marked "community wiki".

asked 19 Jan '12, 21:59

chris2012's gravatar image

chris2012
1121
accept rate: 0%


2 Answers:

2

There is a bug-report open for this, but no one has found the time and/or interest to solve this. Please have a look at Bug 4561.

answered 05 Aug '12, 17:04

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

1

The Wireshark installation comes with a command line tool called editcap, which has a parameter set to remove duplicate packets, usually like this:

editcap -d infile.pcap outfile.pcap

You might need to adjust the additional -D and -w parameters to tell editcap how many packets to consider and what maximum time distance between duplicates you want to allow. The default parameters sometimes do no remove all duplicates, so if that happens, work with -D and -w.

answered 20 Jan '12, 03:38

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 20 Jan '12, 03:39

I have also tried editcap but it has not worked for my traces (maybe because of different vlan tags or the offset caused by vlan-tagging). I do not really know but I could send you a short trace which should show the problem.

I tried many different editcap-combinations, but editcap is doing no deduplication at all: editcap.exe -d trace1.pcap trace1_filtered.pcap -w 1 -D 100 4780 packets seen, 0 packets skipped with duplicate window of 100 packets.

Regards, Chris

(20 Jan '12, 04:39) chris2012

The vlan tagging should not be a problem since the same packet in a different vlan means that it must have been routed - and if it has been routed, MAC addresses, TTL etc. are modified, which means it's not a real duplicate (so editcap won't remove it).

You can send me a short trace if you want, but keep in mind that it should not contain any sensitive data. I created a temporary email alias for this, so send your file to: [email protected]

(20 Jan '12, 04:51) Jasper ♦♦

I have the condition described by Jasper: Different MACs, different TTLs (off by 1), BUT... SAME IP ID. Almost certainly packets that are being routed between VLANs.

My confusion is... Why does Wireshark note the 2nd of these packets as a Retransmission? Doesn't the condition of identical IP IDs rule out a retransmitted packet?

(FWIW, I'm running Version 1.6.5 (SVN Rev 40429 from /trunk-1.6) )

Thanx for any enlightenment :-)

feenyman99

(05 Aug '12, 06:05) feenyman99

I haven't looked at the tcp expert analysis code, but I guess it just does not check any layer other than the tcp layer for it's analysis results... so even if the ip id indicates a duplicate the tcp expert ignores it.

(05 Aug '12, 08:03) Jasper ♦♦

Why does Wireshark note the 2nd of these packets as a Retransmission? Doesn't the condition of identical IP IDs rule out a retransmitted packet?

Maybe it should, but the code that creates a conversation (which is the base for TCP analysis), does not care about the IP ID, which is O.K. for IP conversations, as IP IDs will change during a conversation.

epan\conversation.c:find_or_create_conversation()

for TCP retransmit analysis, the IP ID 'should' be checked, to detect only real retransmits.

However, it would be some overhead to do that. SRC/DST IP and SRC/DST port will be constant for a TCP conversation, but the IP IDs will change with every packet, so it would cost memory to record all IP IDs of a conversation and it would cost time to check for duplicates. Please bear in mind, that there might be many conversations in a capture file.

If you think this is a bug, please file a bug report at bugs.wireshark.org.

Regards
Kurt

(05 Aug '12, 13:58) Kurt Knochner ♦