0

When I play back a pcap file using Colasoft, wireshark is seeing duplicate identical packets.

When I open the pcap in Wireshark, it shows the correct number of packets.

I tried to play a pcap using Colasoft, and I was expecting to see the identical ethernet stream in Wireshark, but instead it shows double the number of packets.

Duplicate packets

Vcrewchief
  • 1
  • 3

1 Answers1

0

I'm not familiar with Colasoft, but have a few ideas on pcap playback. Are the packets really identical? You may have the same content being sent to multiple destination addresses. How are you sampling the playback? Are you sampling at multiple points? Do you have network equipment involved in your test? Is this a test with physical equipment or is the whole test simulated?

MatCat
  • 19
  • 5
  • They are identical. I updated my question with a screenshot. I'm playing the pcap through a physical ethernet port that is connected to a beaglebone that I just took out of the box. I just needed something connected. I had a similar issue with the virtual NIC, but the multicast packets didn't duplicate--only the regular 10.10.10.120 UDP packets were duplicated. – Vcrewchief Aug 24 '23 at 00:00
  • Are you sampling on multiple interfaces? Does your device repeat the traffic back to the source computer? Maybe you are capturing it when sending and when it returns? The fact that multicast doesn't duplicate is interesting because routers won't send multicast out until someone subscribes to it (which you probably are not doing). – MatCat Aug 24 '23 at 22:30
  • As far as the multicast goes, I wouldn't think subscription matters to Wireshark, because it's looking for anything and everything. It's UDP if that matters. I think the fact that the virtual NIC has duplicates should rule out replies/returns... Honestly if my python program can handle the double packets I might just ignore it because the real hardware doesn't duplicate. – Vcrewchief Aug 25 '23 at 05:41