Abhik,
Thanks for your help. Can you explain one more problem for
me. I was sent some captures from one of my users that is having a problem with
an FTP. When he did the first capture it was a VLAN span on a Cisco switch. I
see hundreds of dup acks and TCP out-of-order packets. When I apply a display
filter I see 2 of everything and the second one is always an error frame.
For example - if it is a TCP ack the first frame is ok the
second is identical (same source and dest) but marked as a dup ack.
if it is a FTP frame the second one is marked as a
out-of-order.
If we span just the port and not the VLAN we do not see any
of these error packets.
Can you help me understand this
problem.
Thanks
Ed
Hi Edward,
Though it might not apply to your case, perhaps you
want to have a look at this:
http://www.wireshark.org/lists/wireshark-users/200901/msg00032.htmlI
have seen the same behavior if the system uses bonded interfaces and the
interface "any" is used for capturing (assuming Linux is used).
If this
does apply, then you can simply use "editcap -d" on the capture file to get rid
of the duplicate acks.
HTH
Abhik.
