Wireshark · Ethereal-users: [Ethereal-users] Re: Duplicate packets captured in local machine. (Mark Pizzolato)

Ethereal-users: [Ethereal-users] Re: Duplicate packets captured in local machine. (Mark Pizzolat

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Chau Dang" <cdang@xxxxxxxxxxxxxxx>

Date: Thu, 8 Apr 2004 12:05:10 -0700

Thank to Mark for additional information in the issue.

Answer to the questions:
1. Ethereal works fine on other systems with different NIC cards in my
office.
2. I did not try to use other NIC card on my system to see if Ethereal has
the same problem.

As I have said in my yesterday email:
1. Network monitor (netmon.exe) from Microsoft does not has that problem.
2. Ethereal worked fine on the same system and NIC card before.  It has just
suddenly occurred on the system last two weeks.

So, I think the cause may be from winpcap.  I will try to update that to see
if the problem goes away.

Chau Dang.

------------------------------

Message: 3
Date: Wed, 7 Apr 2004 12:48:22 -0700
From: "Mark Pizzolato" <ethereal-users-20030907@xxxxxxxxxxxxxxxxx>
Subject: Re: [Ethereal-users] Duplicate packets captured in local
	machine.
To: "Ethereal user support" <ethereal-users@xxxxxxxxxxxx>
Message-ID: <013601c41cd9$4d2a5f40$173ca8c0@xxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

I'm betting that the observation Chau Dang has made (about receiving
transmitted packets multiple times) is a "feature" of the NIC driver that is
being used on his Windows system.

I say this based on my experience with an application I support.  This
application uses WinPcap to both send and receive raw ethernet frames.  We
have observed that on some platforms (various Unix and windows), that the
packet stream we get through libpcap (in promiscuous mode), will contain 0,
1 or even 2 copies of every frame that is transmitted by the local system.
Our application tolerates this by testing the environment upon startup and
counting the "reflections" of known test packets we initially send.  Things
subsequently proceed with the knowledge of how to deal with transmitted
duplicates.  In general, on Unix/unix-like hosts we see 0 reflections, and
on Windows, we usually see 1 reflection, and sometimes (depending on the
NIC+Driver being ), we see 2 reflections.  The Unix/Unix-like reflection
count is usually 1, when the interface we're using is a bridge device
constructed by locally available kernel bridging.

So, another question for Chau Dang, is:

Does he see the same "behavior" on other systems which have different
vendor's NIC cards, or, on his system if he uses a different vendor's NIC?

Upgrading to the latest NIC driver from his chosen vendor "may" fix his
problem.

- Mark Pizzolato


------------------------------

Prev by Date: [Ethereal-users] Using 802.11 Radiotap
Next by Date: [Ethereal-users] Question about packet filtering
Previous by thread: [Ethereal-users] Re: [Ethereal-dev] Using 802.11 Radiotap
Next by thread: [Ethereal-users] Question about packet filtering
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$