Wireshark-users: Re: [Wireshark-users] Capturing on Linux interface any
From: Sake Blok <sake@xxxxxxxxxx>
Date: Fri, 14 Nov 2008 14:20:53 +0100
On Fri, Nov 14, 2008 at 12:42:22PM +0100, Abhik Sarkar wrote:
> 
> I have noticed that when a capture is performed on a Linux host on
> interface 'any' and that system has bonded interfaces, there are a lot
> of TCP duplicates and out-of-order packets reported. It seems it is
> because the packets are captured twice... once from the bondX
> interface and one from the physical interface. However, this seems to
> happen only for outgoing packets. For incoming packets, I assume they
> are captured only on the physical interface. Can someone point me to a
> source where I might find an explanation of this behaviour?

Although I have no explanation for this behavior, I do want to point
you to editcap which can remove the duplicates with the -d option.

Cheers,
    Sake