Wireshark V1.8.0 - analysing dual NIC capture

["Keith French" <keithfrench () btconnect com>]

Thanks for a really fantastic new release of Wireshark.

I have been trying out Wireshark V1.8.0 capturing on 2 NICs simultaneously using the .pcapng format. However, I am not 
really sure what I am expecting to see when analysing the trace.

In the preferences I have ticked the "Capture packets in pcap-ng format" option.

My set up is this:-

I have a server running Wireshark that has 2 NIC cards.

NIC 1 - connected to an access port on Cisco 2950 switch 2. This NIC carries all normal server traffic, plus an ftp 
session to a device on Cisco 2950 switch 1 that I am using for test purposes.

NIC 2 - connected to a port on Cisco 2950 switch 1 that is monitoring the inter-switch trunk between the two 2950s via 
a span session.

If I take a trace just on NIC 1 - I see 18 ftp or ftp-data packets.

If I take a trace just on NIC 2 - I see 18 ftp or ftp-data packets.

If I take a trace on both NIC 1 & 2 - I see 36 ftp or ftp-data packets, so all looks good.

All of the duplicated packets in the capture from both NICs follow the original ones, but are shown as TCP 
Retransmissions.

Is this how the facility is designed to work when analysing such a trace?

Keith French.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe