Wireshark-users: Re: [Wireshark-users] FW: TCP Packets being sent twice? Ever seen this?
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: "Barry Constantine" <Barry.Constantine@xxxxxxxx>
Date: Fri, 25 Apr 2008 06:17:48 -0700
There are situations where the packets are falsely captured twice due to
OS, port mirroring, etc..

Look at the IP ID field on two duplicate packets; if they are the same,
then these packets are not really on the wire.

I know other tools allow you to eliminated duplicate packets based upon
the IP ID, but I never tried this with Wireshark

-Barry

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Brian Biales
Sent: Friday, April 25, 2008 8:01 AM
To: wireshark-users@xxxxxxxxxxxxx
Subject: [Wireshark-users] FW: TCP Packets being sent twice? Ever seen
this?

I was using Wireshark to view the SMTP traffic on my Windows SMTP
server.  What I found was very odd...  Each packet my server was sending
appears to be sent twice!
 
Is this for real?  Or a Wireshark fluke?  Anybody seen such a thing?
Any explanations would be greatly appreciated!
 
My local machine in the trace is 192.168.1.9.  All the packets out to
the internet  appear to be sent twice.  And the time between them is
very, very small...  The identical packet seems to go out immediately.
I can attach the trace file itself if it would be useful (it is 250k or
so...)

I am using Wireshark 1.0.0 install on this Windows 2k server SP4 with
all updates applied...
 
Brian