Wireshark-users: Re: [Wireshark-users] duplicate frames captured by tcpdump

From: noah davids <ndav1@xxxxxxx>
Date: Thu, 15 Jan 2015 05:55:29 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 15 January 2015 at 09:00, Manolis Katsidoniotis <manoska@xxxxxxxxx>
wrote:

. . .
In our lab we use (linux) tcpdump to capture frames (using interface
"any" for applications that do not communicate internally) and
wireshark to view and process the captured frames.

Lately after some upgrades we've been noticing the same frame is
captured twice, once including the vlan tag and once with the tag
stripped (actually sometimes we've noticed several repeated frames)
. . . .

As was pointed out by Abhik Sarkar the problem is that "-i any" will
capture on all interfaces so as the frame moves from one interface to
another it is captured multiple times.

However rather that filter out retransmissions and duplicate ACKs you
can filter on the vlan tag. A display filter like "not vlan" or
alternatively "vlan" will remove one or the other set of frames.

While it is not relevant in this case if the host is acting as a
router you will see that one set of frames have a TTL greater than
another set of frames and you can filter on the TTL value.

If the frames are really identical you can use editcap to remove
duplicates.

- -- 
Noah Davids
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Serendipity is a function of bandwidth

If you are not the intended recipient of this E-mail it would be nice
if you deleted it and notified me that you received it incorrectly. On
the other hand, E-mail is an insecure mechanism; nothing in this
E-mail can be considered confidential. I have no doubts that copies of
this E-mail have been archived by my ISP, your ISP and probably the
FBI, CIA and we know the NSA has a copy. I suspect that Interpol,
MI-6, SVR (think KGB) and MSS (Chinese) will have copies shortly, the
NSIS (Kenya) will have it by the end of the week.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUt7jBAAoJECWN4Ue7WQBiaLEH/3xAnRhnkDUD5dcDpzS0qyOr
uiMnqX2Hvz6B/5gR936bzfXjfUXhDJ4UiL5U3JNUVmAbVKKnA+71wZbVL/lBie4T
J+UVxxp+g1TiG/Xzgw7h2EeI+bk9MAdfXKq9YU+tUAv227d9vmo9ouLrbQ8+UtGe
6foisyziXRHHHO/y9wq3s9uc8VxJPvogdsXPsX6EZU8+93Qks/YryrNMemZIjyfx
qlB1/ocqZ9e4joQwQz+Fk2lNssN2UJzHcU2VXOrKYMDUXP7yWjQxghDYTsGZGtz4
0rgpLw2Xhji19RFBQtXa/qjDxv61RoufGKpgrNOJBMCsODcllvfYFKIRyHIJQZw=
=hqfB
-----END PGP SIGNATURE-----