Wireshark-users: Re: [Wireshark-users] out-of-orders instead of duplicates

From: Vikki Taxdal <vtaxdal@xxxxxxxxx>
Date: Fri, 27 Mar 2009 19:42:59 -0400
I get those duplicates too - also spanning whole vlan(s).  We have
Cisco Network Analysis Module (NAM) in the 6509 switch, watching
traffic entering and leaving a Firewall Services Module (FWSM) in the
switch.

Maybe my situation is not exactly the same as yours, but then again
maybe what I do about  duplicate packets will give you an idea how to
filter out yours.  I did learn how to get rid of the dupes if it is
really just every single packet having a duplicate.  You do this in
the display filter:

     (frame.number & 1)

But most of the time it's not that simple...

Let's say I need to look at firewall traffic with the NAM (spanning
all vlans, in and out) -  I want to see what the firewall is doing to
packets before depositing them on the outgoing vlan (you'd be amazed
sometimes what it does and doesn't do).

So I capture traffic between a specific pair of hosts: 192.168.0.1,
172.16.0.1, on whatever vlans the traffic comes in and goes out.  The
result is a mess - lots of duplicates... but it's hard to discern the
pattern right away.  So I separate the traffic into two files, one for
the traffic as it appears on one side of the firewall (vlan10) and
another for the traffic as appears on the other side (vlan20).  My
filter is:

     For the 1st file, vlan10.cap:      vlan.id==10
     For the 2nd file, vlan20.cap:     vlan.id==20

Now when I open the files separately I can see the pattern - in my
vlan10 file there's a duplicate of every packet with source address
192.168.0.1, and in my vlan20 file there's a duplicate of every packet
with destination 172.16.0.1.

The vlan10 file, for example, starts out like this:
     HostA Syn
     HostB Syn Ack
     HostB Syn Ack
     HostA Ack
     HostA Psh 10 bytes
     HostB Ack 11
     HostB Ack 11
     ...and so on

So I make my display filter like this:
     (ip.src==192.168.0.1) || (frame & 1)

And now my trace looks normal:
     HostA Syn
     HostB Syn Ack
     HostA Ack
     Host A Psh 10
     Host B Ack 11
     ...and the rest.

You do something similar for the vlan20 file.

I wish I could say I figured all this out on my own - I didn't.  After
a lot of head banging finally someone else got me past where I was
stuck.  So if my message is at too simple a level to do any good to
you, I'm pretty sure it will save some time and aggravation for
someone else at my level :)

In the end I will probably do as Hansang did and just write a script
to find and remove duplicates by comparing MACs/IP IDs --- I just
haven't got that far in my script writing skills yet (still just
taking baby steps in that arena, but really drawn to it).

On 3/17/09, Hansang Bae <hbae@xxxxxxxxxx> wrote:
> At 08:32 AM 3/12/2009, Pawel K wrote:
>>Hello
>>
>>I receive many packets that look like duplicates.
>>They are exactly the same - even with respect to the receiving time.
>>Wireshark reports the second packet as a TCP Out-Of-Order.
>>IMHO it should be reported as a duplicate.
>>Am I right ?
>>
>>thank You for an answer
>
>
>
> It would be easier if you didn't span the entire vlan.  But sometimes,
> you're forced to do this because you have a case of
>
>
> A <--->B <---> C <----> D <---> E
>        \               /
>         \-------------/
>
> Capturing on B and D would give you duplicates (leaving B and arriving at D)
>
> So you can use editcap -d option.  But if I recall, it can only look at
> packets +/1 4 away.  So if you have:
>
> pkt 1
> pkt 2
> pkt 3
> pkt 4
> pkt 5
> pkt 6
> pkt (exact replica of 1)
>
>
> editcap won't find it (I'm pretty sure).  In the past, I had my guys write
> script that compared MAC/IP ID to remove duplicates.
>
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>