Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

"True Duplicate" packets are completely identical, meaning that if you compare their bytes in the hex view you'll see that nothing changes when you jump between them in the packet list.

I distinguish between "True Duplicates" (created usually by the capture method of SPANing more than 1 port) and "Routed Duplicates" where you have differences like MAC-Addresses and VLAN IDs - those are also duplicates from TCP point of view but they're not byte-wise identical. In that case you might want to compare IP-Identification, 5-Tuples (SrcIP:SrcPort-DestIP:DestPort:L4Protocol) and sequence numbers. Comparing TCP/UDP payloads also often works.