Duplicate parsing in one direction (egress) with Wireshark v3 but v1.8 is normal.

asked 2019-04-25 09:22:31 +0000

pond.huang gravatar image

updated 2019-04-25 10:12:01 +0000

grahamb gravatar image

Hi Everyone,

I got a problem about duplicate parsing in one direction (egress) with Wireshark v3.0.1 but v1.8 is normal. I had tried stable release v3.0 and v3.0.1 but same results. Before upgrade wireshark, I used v1.8 and works well. Anyone got same experience with me and please give me some advice, thanks.

I pasted text below for reference:

No.    Time        Source             Destination        Protocol    Length Info

4      5.212966    RealtekS_36:01:23  SpidcomT_13:00:01  HomePlug AV 60     OUI:0x13d7
5      5.212980    RealtekS_36:01:23  SpidcomT_13:00:01  HomePlug AV 60     OUI:0x13d7
6      5.213825    SpidcomT_13:00:01  RealtekS_36:01:23  HomePlug AV 60     OUI:0x13d7
edit retag flag offensive close merge delete

Comments

Do you mean:

  1. That the same capture file opened in both 1.8 and 3.x gives different results?
  2. Capturing with 3.x gives different results to a capture made with 1.8?
grahamb gravatar imagegrahamb ( 2019-04-25 10:13:32 +0000 )edit

No, sorry for making mistake. I mean different version will get different result during live capture. V3.0 will get same packets twice in egress but V1.8 not. Just like the text, you can see packet number 4 and 5 are same packets in V3.0 but it will only get one packet in V1.8.

pond.huang gravatar imagepond.huang ( 2019-04-25 10:40:45 +0000 )edit

And can you describe your capture setup, e.g. how (on host, tap, span), host OS and capture library if capturing on host?

grahamb gravatar imagegrahamb ( 2019-04-25 11:12:59 +0000 )edit

I show my wireshark about information for your reference:

Version 3.0.1 (v3.0.1-0-gea351cd8) 

Copyright 1998-2019 Gerald Combs <[email protected]> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 

Compiled (64-bit) with Qt 5.12.1, with WinPcap SDK (WpdPack) 4.1.2, with GLib 2.52.2, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 support, with Gcrypt 1.8.3, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.9, with QtMultimedia, with AirPcap, with SBC, with SpanDSP, with bcg729 ...
(more)
pond.huang gravatar imagepond.huang ( 2019-04-25 11:44:40 +0000 )edit

More information. I tried v2.6.8 and works well. I hope that can provide more clue for debugging. I show my wireshark about information for your reference:

Version 2.6.8 (v2.6.8-0-gbede2087) 

Copyright 1998-2019 Gerald Combs <[email protected]> and contributors. License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 

Compiled (64-bit) with Qt 5.9.7, with WinPcap (4_1_3), with GLib 2.42.0, with zlib 1.2.11, with SMI 0.4.8, with c-ares 1.14.0, with Lua 5.2.4, with GnuTLS 3.4.11, with Gcrypt 1.7.6, with MIT Kerberos, with MaxMind DB resolver, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9 ...
(more)
pond.huang gravatar imagepond.huang ( 2019-04-26 02:45:39 +0000 )edit
see more comments