This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Duplicate ICMP echo replies mystery

0

When running a ping -t to one of our Cisco routers, we noticed on occasion a (DUP!) after a few of the replies. When looking at the pcap, I can see the sequence number of the request with 2 replies from the same target. The only difference I could see was that in the first reply, WS showed that it was a response to the requesting packet and in the second reply, there was no such reference. 99% of the pings are fine but now we have concerns that the unit might be defective. How should I interprete these duplicate replies?

Thanks

asked 16 May '12, 20:01

EricKnaus's gravatar image

EricKnaus
46192026
accept rate: 0%


One Answer:

0
  1. Is the router connected to the same switch as your client? If so, are the two replies from the same MAC address?
  2. Is the router part of a HSRP configuration?

Regards
Kurt

answered 17 May '12, 00:36

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 17 May '12, 00:57

Kurt - No HSRP. Pinging across the Internet (to a WAN), same MAC - nothing else was plugged into the router when we were testing this.

Thanks

Eric

(17 May '12, 08:08) EricKnaus

Is the router publicly pingable so we might be able to reproduce the issue? Do you see duplicates from multiple sources to this router? Do you see duplicates ping other systems from the same source?

(17 May '12, 09:33) SYN-bit ♦♦

can you post a cpature file with the DUP replys to cloudshark.org? Did both replies have the same TTL?

(17 May '12, 14:16) Kurt Knochner ♦

I was going to but the owner asked me not to because he did not want the world pinging it all day! Looking for a plan B

(21 May '12, 06:35) EricKnaus

You may send me a small capture file with the dup ping responses in it at [email protected]SYN-bit.nl and I will have a quick look at it to see whether I can see anything funny in the trace.

(21 May '12, 21:36) SYN-bit ♦♦

you could randomize the ip addresses with tcprewrite http://tcpreplay.synfin.net/wiki/tcprewrite and then post the capture file on cloudshark.org

(21 May '12, 23:45) Kurt Knochner ♦
showing 5 of 6 show 1 more comments