Wireshark-users: Re: [Wireshark-users] Duplicate ACK

From: "EDWARD HILL" <EHill@xxxxxxxxx>
Date: Fri, 6 Mar 2009 17:27:05 -0500
That clears it up.
 
Thanks
Ed


From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Friday, March 06, 2009 5:13 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Duplicate ACK

If you span a vlan, every packet will enter the switch and leave the switch on that vlan, hence the switch will mirror it twice. You should use "rx" or "tx" instead of "both" on the definition of the span-port when spanning a vlan.
 
You can remove the duplicate packets in the tracefile with "editcap -d <infile> <outfile>" :-)
 
Hope this helps,
Cheers,
     Sake
----- Original Message -----
Sent: Friday, March 06, 2009 10:52 PM
Subject: Re: [Wireshark-users] Duplicate ACK

Abhik,
 
Thanks for your help. Can you explain one more problem for me. I was sent some captures from one of my users that is having a problem with an FTP. When he did the first capture it was a VLAN span on a Cisco switch. I see hundreds of dup acks and TCP out-of-order packets. When I apply a display filter I see 2 of everything and the second one is always an error frame.
 
For example - if it is a TCP ack the first frame is ok the second is identical (same source and dest) but marked as a dup ack.
if it is a FTP frame the second one is marked as a out-of-order.
 
If we span just the port and not the VLAN we do not see any of these error packets.
Can you help me understand this problem.
 
Thanks
Ed


From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Abhik Sarkar
Sent: Wednesday, March 04, 2009 4:32 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Duplicate ACK

Hi Edward,

Though it might not apply to your case, perhaps you want to have a look at this:
http://www.wireshark.org/lists/wireshark-users/200901/msg00032.html

I have seen the same behavior if the system uses bonded interfaces and the interface "any" is used for capturing (assuming Linux is used).

If this does apply, then you can simply use "editcap -d" on the capture file to get rid of the duplicate acks.

HTH
Abhik.

On Wed, Mar 4, 2009 at 12:17 AM, EDWARD HILL <EHill@xxxxxxxxx> wrote:
 
I took a capture on my network between the firewall and the app server. I have been seeing a lot of duplicate acks. But the duplicate acks never go past one and they are always from the firewall. It seems like the firewall is just trying to catch up to its buffer. I never see fast retransmissions or retransmissions. How many duplicate acks in a period of time is to much?
 
Ed

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe