Ask Your Question

Duplicate packets from VMware host

asked 2019-04-23 13:41:27 +0000

yash.rohilla gravatar image


I'm having an issue where I see duplicate packets sent from a virtual machine. The VMware workstation is running Linux with the network adapter in "Bridged: Connected directly to the physical network" mode. Additionally, the "Replicate physical network connection state" option is checked.

I have Wireshark running on my host machine running Windows 10. When I send ICMP messages from the virtual machine to another device connected to the local network, I see 2 instances of the same ICMP message being sent in Wireshark (that is running on the host machine). When I delve further into these two ICMP requests, I see that one of them has a response frame while the other does not. Am I correct in thinking that this is because I have a bridged connection between the host machine and the virtual machine? Is this expected behavior? Is there anything I can do to not sent duplicate packets? I am only using ICMP to demonstrate the issue. I am trying to setup a three-way handshake between a client and server using scapy, but the duplicate messages are messing up the response I'm expecting from the server (immediate RSTs are sent from the client).

I also have Wireshark running on the virtual machine with Linux. I do not see any duplicate packets on the machine. This makes me believe that this is expected behavior.

Please let me know if you would like any screenshots or further information. I would be happy to oblige.


edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2019-04-23 17:36:38 +0000

SYN-bit gravatar image

My guess would be that thet duplicate packets are an artefact of capturing on the host machine itself. When you see two SYN packets in your trace, do you also see two SYN/ACK packets coming back? If not, there was actually only one SYN packet leaving your system.

It is recommended to make traces on a separate machine running Wireshark. Either connected to a TAP or a SPAN port, that way, you can be sure of what is actually put on the network without having to guess how the vNic driver, hypervisor kernel, nic offloading features etc are creating all sorts of strange capture effects.

Have a look at the Wireshark WiKi page on how to capture for more information.

edit flag offensive delete link more


Hi SYN-bit,

I do not see two SYN/ACK packets coming back, which confirms that only one SYN packet leaves my VM.

Thank you for your help! I will setup the capture after reviewing the guide.


yash.rohilla gravatar imageyash.rohilla ( 2019-04-24 08:10:31 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-04-23 13:41:27 +0000

Seen: 1,680 times

Last updated: Apr 23 '19