"True Duplicate" packets are completely identical, meaning that if you compare their bytes in the hex view you'll see that nothing changes when you jump between them in the packet list.
I distinguish between "True Duplicates" (created usually by the capture method of SPANing more than 1 port) and "Routed Duplicates" where you have differences like MAC-Addresses and VLAN IDs - those are also duplicates from TCP point of view but they're not byte-wise identical. In that case you might want to compare IP-Identification, 5-Tuples (SrcIP:SrcPort-DestIP:DestPort:L4Protocol) and sequence numbers. Comparing TCP/UDP payloads also often works.
First, no, the IP ID will be different, because the duplicate ACK is a TCP (layer 4) mechanism, and does not affect the increment of IP IDs on layer 3.
And yes, the sequence number needs to stay the same, but it is kind of a gray area - as far as I know Wireshark wouldn't mark a packet a duplicate ACK unless the sequence number and window size stays the same, but I would have to check the source code to be sure.
Asked: 2020-06-27 20:25:25 +0000
Seen: 5,235 times
Last updated: Jun 28 '20
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
