tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Observing duplicate frame captures in TCPDU MP

From: "Kraus, Jeffery" <Jeffery.Kraus () uscellular com>
Date: Wed, 24 Dec 2003 09:40:59 -0600
In this scenario it is not 802.11. I have my Redhat 9 Box running TCPDUMP
connected to a Cisco Catalyst 6509 using 10/100 CAT5e Ethernet on a port
Spanning 2 VLANs. The Multiples frames are identical (every byte, MAC, IP,
etc...) Although the timestamps are slightly different (off by less than a
millisecond or so).

It definitely seems to be an issue with the Cisco Span Port....I have
connected a PC running Sniffer Pro and IRIS Sniffers, and are seeing the
same thing. I will investigate this further with Cisco. Thank you all for
your help.


-----Original Message-----
From: George Bakos [mailto:gbakos () ists dartmouth edu]
Sent: Tuesday, December 23, 2003 11:57 PM
To: Kraus, Jeffery
Cc: 'tcpdump-workers () tcpdump org'
Subject: Re: [tcpdump-workers] Observing duplicate frame captures in
TCPDU MP


This is normal behaviour for managed wireless networks, where the frame is
encapsulated in 802.11 both to and from the WAP. If this is a copper or
fiber
net, are you certain you aren't seeing the effects of a funny
bridge/VLAN/routing environment? Are the multiples being reported with
identical timestamps? How about src MAC addresses?

g

On Tue, 23 Dec 2003 09:43:56 -0600
"Kraus, Jeffery" <Jeffery.Kraus () uscellular com> wrote:


The machine is Redhat 9, and it is just receiving frames from the network.
It does not have an IP address bound to the adaptor so it should not be
generating any frames itself.

Here is the Kernal details:
uname -a
Linux usc-schaum-sniff 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686
i386 GNU/Linux



-----Original Message-----
From: Guy Harris [mailto:guy () alum mit edu]
Sent: Friday, December 19, 2003 6:06 PM
To: Kraus, Jeffery
Cc: 'tcpdump-workers () tcpdump org'
Subject: Re: [tcpdump-workers] Observing duplicate frame captures in
TCPDUMP



On Dec 19, 2003, at 2:41 PM, Kraus, Jeffery wrote:


Whenever I run captures I always get every packet displayed twice. I 
have
seen numerous emails regarding this issue, but no real fix. I am 
currently
using eth4 as the capture interface and I do not have an IP address 
bound to
it.


On what OS are you running this?

Is the machine running tcpdump sending or receiving those packets, or 
is it just passively capturing other machines' traffic on a network?
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use

mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe


-- 
George Bakos
Institute for Security Technology Studies - IRIA
Dartmouth College
gbakos () ists dartmouth edu
603.646.0665 -voice
603.646.0666 -fax
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: