At 08:32 AM 3/12/2009, Pawel K wrote:
>Hello
>
>I receive many packets that look like duplicates.
>They are exactly the same - even with respect to the receiving time.
>Wireshark reports the second packet as a TCP Out-Of-Order.
>IMHO it should be reported as a duplicate.
>Am I right ?
>
>thank You for an answer
It would be easier if you didn't span the entire vlan. But sometimes, you're forced to do this because you have a case of
A <--->B <---> C <----> D <---> E
\ /
\-------------/
Capturing on B and D would give you duplicates (leaving B and arriving at D)
So you can use editcap -d option. But if I recall, it can only look at packets +/1 4 away. So if you have:
pkt 1
pkt 2
pkt 3
pkt 4
pkt 5
pkt 6
pkt (exact replica of 1)
editcap won't find it (I'm pretty sure). In the past, I had my guys write script that compared MAC/IP ID to remove duplicates.
