Ask Your Question
0

how to recognize a duplicate packet in wireshark ?

asked 2020-06-27 20:25:25 +0000

salwa1215 gravatar image

how to recognize a duplicate packet ? in addition that it is marked in black in wireshark, what is its particularities (Sequence number, ACK...) Thanks in advance for your help

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2020-06-28 10:00:04 +0000

Jasper gravatar image

"True Duplicate" packets are completely identical, meaning that if you compare their bytes in the hex view you'll see that nothing changes when you jump between them in the packet list.

I distinguish between "True Duplicates" (created usually by the capture method of SPANing more than 1 port) and "Routed Duplicates" where you have differences like MAC-Addresses and VLAN IDs - those are also duplicates from TCP point of view but they're not byte-wise identical. In that case you might want to compare IP-Identification, 5-Tuples (SrcIP:SrcPort-DestIP:DestPort:L4Protocol) and sequence numbers. Comparing TCP/UDP payloads also often works.

edit flag offensive delete link more

Comments

Hey Jasper, will a "True" DUP ACK have the same ID# <ip.id> ? I am getting some DUP ACK's with no retransmit, but the ip.id's are incrementing. What about SEQ numbers, they would need to be the same also in order for it to be a DUP ACK, right?

carvwa gravatar imagecarvwa ( 2020-07-24 02:34:18 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-06-27 20:25:25 +0000

Seen: 63 times

Last updated: Jun 28