Wireshark-users: Re: [Wireshark-users] Duplicate Packet ID

From: "Laura Chappell" <lchappell@xxxxxxxxxxxxxxxx>
Date: Tue, 16 Jan 2007 18:44:51 -0800
Reza...

Here is an idea, but it will only dump the duplicate packet (not the
original) and it is set for TCP only. No UDP equivalent that I know of. 

	tshark -R tcp.analysis.retransmission -w <filename>

Use the capital 'R' to indicate you are using display filter syntax. The
retransmissions are defined as TCP packets that contain data but use the
same sequence number. There is some checking done to ensure the packets are
not just out-of-order packets (which is probably not typical anyway).  

I think the TCP.analysis.duplicate_ack will only show you that a receiver
has noticed a missing segment and is re-acking for the missing segment. A
good thing to know, but it seems you are more interested in duplicate data
packets (UDP-based application?)... 

Hope that helps... 

Laura
lchappell@xxxxxxxxxxxxxxxx
 
This message is intended only for the use of the addressee and may contain
information that is privileged and confidential. If you are not the intended
recipient, you are hereby notified that any use and/or dissemination of this
communication is strictly prohibited. If you have received this
communication in error, please delete all copies of the message and its
attachments and notify the sender immediately.


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Fardid, Reza
Sent: Tuesday, January 16, 2007 5:58 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Duplicate Packet ID

Hi Hans,

How does it identify duplicates?
Is there a UDP equivalent?

Thanks,
-Reza

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Hans Nilsson
Sent: Monday, January 15, 2007 11:46 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Duplicate Packet ID

How about "tcp.analysis.duplicate_ack".


On Mon, 15 Jan 2007 14:29:56 -0800, "Fardid, Reza" <RFardid@xxxxxxxxx>
said:
> Hi,
> 
>  
> 
> Is there a mechanism in T(ethereal) for identification (e.g., using
> Frame Check) and filtering (capture or display) of duplicate packets?
> 
> I realize there is a performance penalty to pay for such capture
> filtering, if supported.
> 
>  
> 
> Thanks,
> 
> -Reza
> 
>  
> 
>  
> 
>  
> 
-- 
  Hans Nilsson
  hasse_gg@xxxxxxxx

-- 
http://www.fastmail.fm - Or how I learned to stop worrying and
                          love email again

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users