The tcpdump is being run on a gig span port on the core 6509, the only vlan's the span encompasses is the Server VLAN's. The VLAN's are being spanned on both core switches, so I can see why in the intrusion database duplicates are showing up since both servers are seeing the same VLAN's. I wonder why when TCPDUMP is run on once switch it sees duplicates. Like I said, I can see why the ACID database sees two entries if both servers are set on the same spanned VLAN's, but it does explain why the duplicates are notice when tcpdump is running on only one Linux Server. The host that is running tcpdump is only using 1 gigabit NIC, so no chance of seeing the packets from another interface. I guess it isn't that big of a deal, I just want to find out why it is happening, the Security folks are a litle annoyed with getting two entries in the database every time. I will evaluate spanning-tree and what not, but it seems there is some deep rooted explanation for this.
Thanks for all of your replies... keep 'em coming! Antonio ----- Original Message ----- From: "Priscilla Oppenheimer" To: Sent: Tuesday, September 10, 2002 4:36 PM Subject: RE: Duplicate packets with same SEQ #'s... [7:53024] > Where are you running this TCPdump? It seems to be somewhere on the network > where it sees every packet twice. It's not just SEQ#s that are repeating, > but ACKs, etc. > > Could the host that is running TCPdump be multihomed? > > Obviously, in a functioning network, it would be pretty bizarre for any LAN > or host to see the same packet twice. Spanning Tree and routing protocols > should ensure that this doesn't happen. But there may be situations where > this is normal, for a station that is just doing network management type > tasks, for example. > > Priscilla > > r34rv13wm1rr0r wrote: > > > > This is from a tcpdump off of one of my core switches. It > > appears that it is > > logging a duplicate packet with the same SEQ #. Does any one > > have any idea > > why this is occuring? > > > > Thanks, > > > > A > > > > 11:18:04.688408 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P > > 1:65(64) ack 49 > > win 8320NBT Packet (DF) > > 11:18:04.688409 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P > > 1:65(64) ack 49 > > win 8320NBT Packet (DF) > > > > 11:18:04.688643 172.X.103.10.netbios-ssn > 172.X.15.15.1503: P > > 158405518:158405625(107) ack 1210141117 win 8608NBT Packet (DF) > > 11:18:04.688644 172.X.103.10.netbios-ssn > 172.X.15.15.1503: P > > 0:107(107) ack > > 1 win 8608NBT Packet (DF) > > > > 11:18:04.688645 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P > > 65:119(54) ack > > 98 win 8271NBT Packet (DF) > > 11:18:04.688646 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P > > 65:119(54) ack > > 98 win 8271NBT Packet (DF) > > > > 11:18:04.688883 X.X.6.3.http > 172.X.14.50.1123: . ack > > 4294967295 win 8155 > > (DF) > > 11:18:04.688885 X.X.6.3.http > 172.X.14.50.1123: . ack > > 4294967295 win 8155 > > (DF) > > > > 11:18:04.688886 172.23.27.10.3021 > 172.X.15.10.netbios-ssn: P > > 3194256684:3194256844(160) ack 95965178 win 7515NBT Packet (DF) > > 11:18:04.688887 172.23.27.10.3021 > 172.X.15.10.netbios-ssn: P > > 0:160(160) ack > > 1 win 7515NBT Packet (DF) > > > > 11:18:04.688888 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P > > 119:173(54) ack > > 147 win 8222NBT Packet (DF) > > 11:18:04.688889 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P > > 119:173(54) ack > > 147 win 8222NBT Packet (DF) > > > > 11:18:04.688890 172.X.15.15.1503 > 172.X.103.10.netbios-ssn: P > > 1:161(160) ack > > 107 win 7996NBT Packet (DF) > > 11:18:04.688891 172.X.15.15.1503 > 172.X.103.10.netbios-ssn: P > > 1:161(160) ack > > 107 win 7996NBT Packet (DF) > > > > 11:18:04.689183 172.X.15.10.netbios-ssn > 172.23.27.10.3021: P > > 1:129(128) ack > > 160 win 8138NBT Packet (DF) > > 11:18:04.689185 172.X.15.10.netbios-ssn > 172.23.27.10.3021: P > > 1:129(128) ack > > 160 win 8138NBT Packet (DF) > > > > 11:18:04.689186 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P > > 173:255(82) ack > > 196 win 8173NBT Packet (DF) > > 11:18:04.689187 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P > > 173:255(82) ack > > 196 win 8173NBT Packet (DF) > > > > 11:18:04.689188 172.X.15.151.ssh > 172.X.53.186.1219: P > > 2849560709:2849560801(92) ack 2980294350 win 9648 (DF) [tos > > 0x10] > > 11:18:04.689189 172.X.15.151.ssh > 172.X.53.186.1219: P > > 0:92(92) ack 1 win > > 9648 (DF) [tos 0x10] > > > > 11:18:04.689192 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P > > 255:309(54) ack > > 245 win 8124NBT Packet (DF) > > 11:18:04.689193 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P > > 255:309(54) ack > > 245 win 8124NBT Packet (DF) > > > > 11:18:04.689608 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P > > 309:363(54) ack > > 294 win 8075NBT Packet (DF) > > 11:18:04.689609 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P > > 309:363(54) ack > > 294 win 8075NBT Packet (DF) > > > > 11:18:04.689610 172.X.243.6.printer > 172.X.240.10.723: . ack > > 4096314569 win > > 2144 > > 11:18:04.689610 172.X.243.6.printer > 172.X.240.10.723: . ack 1 > > win 2144 > > > > 11:18:04.689611 172.X.53.186.1219 > 172.X.15.151.ssh: P > > 1:45(44) ack 92 win > > 16724 (DF) > > 11:18:04.689612 172.X.53.186.1219 > 172.X.15.151.ssh: P > > 1:45(44) ack 92 win > > 16724 (DF) > > > > 11:18:04.689614 172.X.61.103.1066 > 172.X.15.49.netbios-ssn: P > > 294:343(49) ack > > 363 win 7380NBT Packet (DF) [tos 0x4] > > 11:18:04.718183 172.X.61.103.1066 > 172.X.15.49.netbios-ssn: P > > 6762:6811(49) > > ack 8223 win 8397NBT Packet (DF) [tos 0x4] > > > > 11:18:04.718187 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P > > 8223:8287(64) > > ack 6811 win 7438NBT Packet (DF) > > 11:18:04.718188 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P > > 8223:8287(64) > > ack 6811 win 7438NBT Packet (DF) > > > > 11:18:04.718423 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P > > 8287:8341(54) > > ack 6860 win 7389NBT Packet (DF) > > 11:18:04.718424 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P > > 8287:8341(54) > > ack 6860 win 7389NBT Packet (DF) > > > > 11:18:04.718425 172.X.240.220.6103 > 172.X.15.68.4720: . > > 2920:4380(1460) ack 1 > > win 16816 (DF) > > 11:18:04.718586 172.X.240.220.6103 > 172.X.15.68.4720: . > > 4380:5840(1460) ack 1 > > win 16816 (DF) Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53092&t=53024 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
