Wireshark mailing list archives
Re: duplicate frames captured by tcpdump
From: noah davids <ndav1 () cox net>
Date: Thu, 15 Jan 2015 05:55:29 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 15 January 2015 at 09:00, Manolis Katsidoniotis <manoska () gmail com> wrote: . . . In our lab we use (linux) tcpdump to capture frames (using interface "any" for applications that do not communicate internally) and wireshark to view and process the captured frames. Lately after some upgrades we've been noticing the same frame is captured twice, once including the vlan tag and once with the tag stripped (actually sometimes we've noticed several repeated frames) . . . . As was pointed out by Abhik Sarkar the problem is that "-i any" will capture on all interfaces so as the frame moves from one interface to another it is captured multiple times. However rather that filter out retransmissions and duplicate ACKs you can filter on the vlan tag. A display filter like "not vlan" or alternatively "vlan" will remove one or the other set of frames. While it is not relevant in this case if the host is acting as a router you will see that one set of frames have a TTL greater than another set of frames and you can filter on the TTL value. If the frames are really identical you can use editcap to remove duplicates. - -- Noah Davids =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ Serendipity is a function of bandwidth If you are not the intended recipient of this E-mail it would be nice if you deleted it and notified me that you received it incorrectly. On the other hand, E-mail is an insecure mechanism; nothing in this E-mail can be considered confidential. I have no doubts that copies of this E-mail have been archived by my ISP, your ISP and probably the FBI, CIA and we know the NSA has a copy. I suspect that Interpol, MI-6, SVR (think KGB) and MSS (Chinese) will have copies shortly, the NSIS (Kenya) will have it by the end of the week. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUt7jBAAoJECWN4Ue7WQBiaLEH/3xAnRhnkDUD5dcDpzS0qyOr uiMnqX2Hvz6B/5gR936bzfXjfUXhDJ4UiL5U3JNUVmAbVKKnA+71wZbVL/lBie4T J+UVxxp+g1TiG/Xzgw7h2EeI+bk9MAdfXKq9YU+tUAv227d9vmo9ouLrbQ8+UtGe 6foisyziXRHHHO/y9wq3s9uc8VxJPvogdsXPsX6EZU8+93Qks/YryrNMemZIjyfx qlB1/ocqZ9e4joQwQz+Fk2lNssN2UJzHcU2VXOrKYMDUXP7yWjQxghDYTsGZGtz4 0rgpLw2Xhji19RFBQtXa/qjDxv61RoufGKpgrNOJBMCsODcllvfYFKIRyHIJQZw= =hqfB -----END PGP SIGNATURE----- ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- duplicate frames captured by tcpdump Manolis Katsidoniotis (Jan 14)
- Re: duplicate frames captured by tcpdump Abhik Sarkar (Jan 15)
- Re: duplicate frames captured by tcpdump Jeff Morriss (Jan 15)
- <Possible follow-ups>
- Re: duplicate frames captured by tcpdump noah davids (Jan 15)