I expect that there is a wrong TCP-retransmission detected where wireshark should detect a duplicate ip packet. We would like a possibility to filter out any duplicate ip packets (means same IP-Identification in a flow) caused by mirroring multiple interfaces on a switch at the same time (eg. before and after a firewall). The packets are different on L2 but are the same on Layer3 except TTL,.. To filter TCP-Retransmission could change the real traffic as it could be a normal tcp-retransmission.
Does anybody how to filter out any duplicated ip packets?
This question is marked "community wiki".
asked 19 Jan '12, 21:59
The Wireshark installation comes with a command line tool called editcap, which has a parameter set to remove duplicate packets, usually like this:
editcap -d infile.pcap outfile.pcap
You might need to adjust the additional -D and -w parameters to tell editcap how many packets to consider and what maximum time distance between duplicates you want to allow. The default parameters sometimes do no remove all duplicates, so if that happens, work with -D and -w.