Wireshark-users: Re: [Wireshark-users] Wireshark V1.8.0 - analysing dual NIC capture
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Tue, 26 Jun 2012 16:56:07 -0400
On Tue, Jun 26, 2012 at 8:51 AM, Keith French <keithfrench@xxxxxxxxxxxxx> wrote:
> Thanks for a really fantastic new release of Wireshark.
>
> I have been trying out Wireshark V1.8.0 capturing on 2 NICs simultaneously using the .pcapng format. However, I am not really sure what I am expecting to see when analysing the trace.

The main thing is that you can get packets from 2 interfaces at the
same time.  No other real changes.

> In the preferences I have ticked the "Capture packets in pcap-ng format" option.
>
> My set up is this:-
>
> I have a server running Wireshark that has 2 NIC cards.
>
> NIC 1 - connected to an access port on Cisco 2950 switch 2. This NIC carries all normal server traffic, plus an ftp session to a device on Cisco 2950 switch 1 that I am using for test purposes.
>
> NIC 2 - connected to a port on Cisco 2950 switch 1 that is monitoring the inter-switch trunk between the two 2950s via a span session.
>
> If I take a trace just on NIC 1 - I see 18 ftp or ftp-data packets.
>
> If I take a trace just on NIC 2 - I see 18 ftp or ftp-data packets.
>
> If I take a trace on both NIC 1 & 2 - I see 36 ftp or ftp-data packets, so all looks good.
>
> All of the duplicated packets in the capture from both NICs follow the original ones, but are shown as TCP Retransmissions.
>
> Is this how the facility is designed to work when analysing such a trace?

Pretty much, yes.  The intent (I think) was just to allow capturing on
2 interfaces simultaneously (rather than having to run 2
Wiresharks/dumpcaps and then merge the traces offline).

But nothing was added to separate out potentially-duplicated traffic.
(The use case is more for multi-homed hosts.)