Ask Your Question

Double sequence number RTP [closed]

asked 2020-04-23 13:07:12 +0000

slemmen gravatar image


I analyze a tcpdump from a Sophos SG Firewall cluster, because we have Problems to send and receive Fax. Most of them cuttet. We only get or send a half Pages.

In the dump file I see every Packet twice. Maybe its a mysterious of the Firewall Cluster? Has anyone seen this before?

Thank you!

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by slemmen
close date 2020-04-24 13:57:40.582636

3 Answers

Sort by ยป oldest newest most voted

answered 2020-04-23 13:27:35 +0000

Chuckc gravatar image
Encapsulation type: Linux cooked-mode capture (25)

Appliances that include tcpdump may use "-i any".

Try the capture again and specify a specific interface

edit flag offensive delete link more

answered 2020-04-23 13:35:30 +0000

Jaap gravatar image

This has to do with the way the capture is made. Probably the monitor port used is setup to capture all ingress and egress packets from the network element (switch, FW, whatever). So packets traversing this network element do show up twice, once on ingress, once on egress. Either tune the monitor port, or use the command line tools, or editcap -d to be specific, to remove the duplicates from this capture.

edit flag offensive delete link more


Okay! Thank you guys!

slemmen gravatar imageslemmen ( 2020-04-23 14:03:38 +0000 )edit

answered 2020-04-23 14:45:22 +0000

Jim Young gravatar image

Expanding on the "Linux cooked capture" tree in the packet details will reveal a Packet Type field.

Right-mouse clicking on the "Packet Type" item and selecting "Add as Column" should make it obvious as to why we see duplicates in the sense of this particular capturing mechanism. In this capture we will see text "Sent by us", "Unicast to us" and "Broadcast" in this new column. You can create a display filters for these values and then generate a subset captures using File -> Export Specified Packets dialog.

In this case the useful display filters are "sll.pkttype == 0" for "Unicast to us", "sll.pkttype == 4" for "Sent by us" and (less useful) "sll.pkttype == 1" for "Broadcast".

If you enable Frame level option "Generate an MD5 hash of each frame", the only frame level duplicates to be found in this capture would be the three "Packet Type = Broadcast" ARP packets. You can also add the MD5 hash field as a column to play with as well.

edit flag offensive delete link more

Question Tools

1 follower


Asked: 2020-04-23 13:07:12 +0000

Seen: 690 times

Last updated: Apr 23 '20