This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Udp packet are duplicated in capture

0

Yesterday I was debugging one my program and found bug in wireshark or somewhere else.

Wireshark shows me two UDP packets on transmit with small time difference and with all matching bytes.
Even IP identifier is same in both packets.
When I send this packet to my router and make packet capture it shows that only one packet is send from my PC.

Wireshark is version 2.4.0

How can I find where it comes to this problem ?

asked 26 Aug '17, 07:58

marenr's gravatar image

marenr
11113
accept rate: 0%

You'll need to provide much more info on your capturing setup, i.e.

  1. Is this on-machine or via a tap or router?
  2. If on-machine, what is the host OS?
  3. What is the capture library, e.g. libpcap, WinPcap, npcap?
  4. What type of interface are you capturing\transmitting on?
  5. Is there a VM involved?

Can you share a capture in a publicly accessible spot, e.g. CloudShark, Google Drive, DropBox etc?

(26 Aug '17, 09:46) grahamb ♦

I make capture again.

Router capture: https://www.cloudshark.org/captures/d8a18c34c5de Computer capture: https://www.cloudshark.org/captures/765cda700089

This is Win 10 Pc and capture is made on Ethernet controller with VirtualBox and VmWare Workstation installed but not running at capture time. I also found that all outgoing packets from my PC are duplicated.

I googled how to find which library does Wireshark use but I did not find it. Can I get some instructions?

(28 Aug '17, 04:16) marenr

If you post the content of the Help-About dialog, that will show the capture library being used.

(28 Aug '17, 04:47) grahamb ♦

I also read this but I missed mention of libpcap.
Here is About:

Version 2.4.0 (v2.4.0-0-g9be0fa500d)

Copyright 1998-2017 Gerald Combs [email protected] and contributors. License GPLv2+: GNU GPL version 2 or later http://www.gnu.org/licenses/old-licenses/gpl-2.0.html This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.9.1, with WinPcap (4_1_3), with GLib 2.42.0, with zlib 1.2.8, with SMI 0.4.8, with c-ares 1.12.0, with Lua 5.2.4, with GnuTLS 3.4.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP, with nghttp2 1.14.0, with LZ4, with Snappy, with libxml2 2.9.4, with QtMultimedia, with AirPcap, with SBC, with SpanDSP.

Running on 64-bit Windows 10, build 15063, with Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz (with SSE4.2), with 32683 MB of physical memory, with locale Slovenian_Slovenia.1250, with WinPcap version 4.1.3 (packet.dll version 0.78 r5), based on libpcap version 1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.4.11, with Gcrypt 1.7.6, without AirPcap.

Built using Microsoft Visual C++ 14.0 build 24215

(28 Aug '17, 04:56) marenr

One Answer:

1
Running on 64-bit Windows 10, build 15063, with Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz (with SSE4.2), with 32683 MB of physical memory, with locale Slovenian_Slovenia.1250, with WinPcap version 4.1.3 (packet.dll version 0.78 r5)

It looks like you're not using the default WinPcap capture library, I suspect it's some older version of npcap.

Can you remove npcap, reboot and re-install Wireshark allowing it to install WinPcap?

answered 28 Aug '17, 05:30

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

After removing nmap and reinstalling Wireshark with WinPcap it works as it must.
Thank you.

(28 Aug '17, 06:00) marenr

@marenr

I've moved my comment to an answer as it seems to have resolved your issue.

Can you accept the answer by clicking the check mark icon on the answer so that others may see the correct answer for the issue?

(28 Aug '17, 10:28) grahamb ♦