Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] Wireshark V1.8.0 - analysing dual NIC capture

From: "Keith French" <keithfrench@xxxxxxxxxxxxx>
Date: Tue, 26 Jun 2012 13:51:08 +0100
Thanks for a really fantastic new release of Wireshark.

I have been trying out Wireshark V1.8.0 capturing on 2 NICs simultaneously using the .pcapng format. However, I am not really sure what I am expecting to see when analysing the trace.

In the preferences I have ticked the "Capture packets in pcap-ng format" option.

My set up is this:-

I have a server running Wireshark that has 2 NIC cards.

NIC 1 - connected to an access port on Cisco 2950 switch 2. This NIC carries all normal server traffic, plus an ftp session to a device on Cisco 2950 switch 1 that I am using for test purposes.

NIC 2 - connected to a port on Cisco 2950 switch 1 that is monitoring the inter-switch trunk between the two 2950s via a span session.

If I take a trace just on NIC 1 - I see 18 ftp or ftp-data packets.

If I take a trace just on NIC 2 - I see 18 ftp or ftp-data packets.

If I take a trace on both NIC 1 & 2 - I see 36 ftp or ftp-data packets, so all looks good.

All of the duplicated packets in the capture from both NICs follow the original ones, but are shown as TCP Retransmissions.

Is this how the facility is designed to work when analysing such a trace?

Keith French.