Ask Your Question

Revision history [back]

This is not a Wireshark or tshark issue, but due to the nature of the traffic.

Depending on the specific ICMP message, an ICMP packet can include portions of the original packet that caused the ICMP message to be transmitted. Looking at smallFlows.pcap there are ICMP Time-To-Live exceed packets that do include the original packet. As this original packet info is also dissected by Wireshark, the "duplicated" fields are included in the output.

To filter these out, either exclude ICMP as part of a filter expression, disable the ICMP dissector or limit the field output to the first occurrence with -E occurrence=f.