tcpdump mailing list archives

Re: Observing duplicate frame captures in TCPDU MP

From: George Bakos <gbakos () ists dartmouth edu>
Date: Wed, 24 Dec 2003 00:57:25 -0500

This is normal behaviour for managed wireless networks, where the frame is
encapsulated in 802.11 both to and from the WAP. If this is a copper or fiber
net, are you certain you aren't seeing the effects of a funny
bridge/VLAN/routing environment? Are the multiples being reported with
identical timestamps? How about src MAC addresses?

g

On Tue, 23 Dec 2003 09:43:56 -0600
"Kraus, Jeffery" <Jeffery.Kraus () uscellular com> wrote:

The machine is Redhat 9, and it is just receiving frames from the network.
It does not have an IP address bound to the adaptor so it should not be
generating any frames itself.

Here is the Kernal details:
uname -a
Linux usc-schaum-sniff 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686
i386 GNU/Linux

Jeffery Kraus
Data Services Engineer
773.216.3179 (cell)
224.653.3720 (office)
224.653.3766 (fax)


-----Original Message-----
From: Guy Harris [mailto:guy () alum mit edu]
Sent: Friday, December 19, 2003 6:06 PM
To: Kraus, Jeffery
Cc: 'tcpdump-workers () tcpdump org'
Subject: Re: [tcpdump-workers] Observing duplicate frame captures in
TCPDUMP



On Dec 19, 2003, at 2:41 PM, Kraus, Jeffery wrote:

Whenever I run captures I always get every packet displayed twice. I 
have
seen numerous emails regarding this issue, but no real fix. I am 
currently
using eth4 as the capture interface and I do not have an IP address 
bound to
it.


On what OS are you running this?

Is the machine running tcpdump sending or receiving those packets, or 
is it just passively capturing other machines' traffic on a network?
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe



-- 
George Bakos
Institute for Security Technology Studies - IRIA
Dartmouth College
gbakos () ists dartmouth edu
603.646.0665 -voice
603.646.0666 -fax
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

Current thread:

RE: Observing duplicate frame captures in TCPDU MP Kraus, Jeffery (Dec 23)
- Re: Observing duplicate frame captures in TCPDU MP Guy Harris (Dec 23)
- Re: Observing duplicate frame captures in TCPDU MP George Bakos (Dec 23)