I have a DNS capture which has all the query and response being retransmitted, is that normal behavior? for example on the 1st packet:
Packet 1: Query -> [Response In: 3]
Packet 2: [Retransmitted request. Original request in: 1]
Packet 3: [Request In: 1]
Packet 4: [Retransmitted response. Original response in: 3]
It could be the way you are obtaining your capture. For instance, if you are using port span (port mirror), you could be getting the TX/RX of both the host and the upstream network port.
Look at the ip.id field and compare packet 1 and 2. If they are the same, then Wireshark is being given a duplicate copy of the frame (not a retransmit by your host) possibly due to the configuration of your port span.
It could be due to other circumstances, but sharing a pcap trace would greatly improve the community's chances of assisting you with your question.
Asked: 2023-11-20 08:31:31 +0000
Seen: 1,918 times
Last updated: Nov 20 '23
