RE: FW: Duplicate packets with same SEQ #'s... [7:53024]
Newell Ryan D SrA 18 CS/SCBT wrote: > > Is it possible that you are doing a dump on a link that the > packet must > transverse to and fro to get to the destination. That's a good point. I can't comprehend the actual design from what we've been told, but it could be perfectly normal for a packet to traverse a network segment twice. An old-fashioned example is two routers on a segment. A host on the segment is set for one of the routers to be the default gateway. The host sends a packet to that router. The router can't get there directly so sends the packet back out the same interface to the other router. The MAC addresses should change, as you say. The router should also send an ICMP Redirect. A more modern example is a one-armed router doing inter-VLAN forwarding of packets. Have no idea if this applies, but I'm glad you triggered this thinking about basic network behavior with common network topologies. Priscilla > I'm assuming your > spanning or port > mirroring > the port or vlan possibly. If these PC's are on separate > networks..see > what I'm saying. > Well if you don't here goes. If you have a switch connected to > a router > using some kind > of trunking capability(or internal router) and the user's are > on separate > VLAN/subnets. They must cross the > router to get to each other. Thus when you do a dump you will > see the same > packet come > across twice. If you have a protocol analyzer you should see > the mac address > change as it > crosses the router. I only believe my theory to be true if the > PC's are on > separate sub networks. > Hope this helps > D > > -Original Message- > From: Neil Desai [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, September 11, 2002 11:59 AM > To: [EMAIL PROTECTED] > Subject: Re: Duplicate packets with same SEQ #'s... [7:53024] > > > We have a similar situation in our network. We have proxy arp > turned on and > it is causing the same thing. > > > Neil > ""r34rv13wm1rr0r"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > This is from a tcpdump off of one of my core switches. It > appears that it > is > > logging a duplicate packet with the same SEQ #. Does any one > have any > idea > > why this is occuring? > > > > Thanks, > > > > A > > > > 11:18:04.688408 172.X.15.49.netbios-ssn > 172.X.61.103.1066: > P 1:65(64) > ack > > 49 > > win 8320NBT Packet (DF) > > 11:18:04.688409 172.X.15.49.netbios-ssn > 172.X.61.103.1066: > P 1:65(64) > ack > > 49 > > win 8320NBT Packet (DF) > > > > 11:18:04.688643 172.X.103.10.netbios-ssn > 172.X.15.15.1503: P > > 158405518:158405625(107) ack 1210141117 win 8608NBT Packet > (DF) > > 11:18:04.688644 172.X.103.10.netbios-ssn > 172.X.15.15.1503: > P 0:107(107) > ack > > 1 win 8608NBT Packet (DF) > > > > 11:18:04.688645 172.X.15.49.netbios-ssn > 172.X.61.103.1066: > P 65:119(54) > ack > > 98 win 8271NBT Packet (DF) > > 11:18:04.688646 172.X.15.49.netbios-ssn > 172.X.61.103.1066: > P 65:119(54) > ack > > 98 win 8271NBT Packet (DF) > > > > 11:18:04.63 X.X.6.3.http > 172.X.14.50.1123: . ack > 4294967295 win 8155 > > (DF) > > 11:18:04.65 X.X.6.3.http > 172.X.14.50.1123: . ack > 4294967295 win 8155 > > (DF) > > > > 11:18:04.66 172.23.27.10.3021 > 172.X.15.10.netbios-ssn: P > > 3194256684:3194256844(160) ack 95965178 win 7515NBT Packet > (DF) > > 11:18:04.67 172.23.27.10.3021 > 172.X.15.10.netbios-ssn: > P 0:160(160) > ack > > 1 win 7515NBT Packet (DF) > > > > 11:18:04.68 172.X.15.49.netbios-ssn > 172.X.61.103.1066: > P 119:173(54) > > ack > > 147 win 8222NBT Packet (DF) > > 11:18:04.69 172.X.15.49.netbios-ssn > 172.X.61.103.1066: > P 119:173(54) > > ack > > 147 win 8222NBT Packet (DF) > > > > 11:18:04.688890 172.X.15.15.1503 > 172.X.103.10.netbios-ssn: > P 1:161(160) > ack > > 107 win 7996NBT Packet (DF) > > 11:18:04.688891 172.X.15.15.1503 > 172.X.103.10.netbios-ssn: > P 1:161(160) > ack > > 107 win 7996NBT Packet (DF) > > > > 11:18:04.689183 172.X.15.10.netbios-ssn > 172.23.27.10.3021: > P 1:129(128) > ack > > 160 win 8138NBT Packet (DF) > > 11:18:04.689185 172.X.15.10.netbios-ssn > 172.23.27.10.3021: > P 1:129(128) > ack > > 160 win 8138NBT Packet (DF) > > > > 11:18:04.689186 172.X.15.49.netbios-ssn > 172.X.61.103.1066: > P 173:255(82) > > ack > > 196 win 8173NBT Packet (DF) > > 11:18:04.689187 172.X.15.49.netbios-ssn > 172.X.61.103.1066: > P 173:255(82) > > ack > > 196 win 8173NBT Packet (DF) > > > > 11:18:04.689188 172.X.15.151.ssh > 172.X.53.186.1219: P > > 2849560709:2849560801(92) ack 2980294350 win 9648 (DF) [tos > 0x10] > > 11:18:04.689189 172.X.15.151.ssh > 172.X.53.186.1219: P > 0:92(92) ack 1 win > > 9648 (DF) [tos 0x10] > > > > 11:18:04.689192 172.X.15.49.netbios-ssn > 172.X.61.103.1066: > P 255:309(54) > > ack > > 245 win 8124NBT Packet (DF) > > 11:18:04.689193 172.X.15.49.netbios-ssn > 172.X.61.103.1066: > P 255:309(54) > > ack > > 245 win 8124NBT Packet (DF) > > > > 11:18:04.689608 172.X.15.49.netbios-ssn > 172.X.61.103.1066: > P 309:363(54) > > ack > > 29
FW: Duplicate packets with same SEQ #'s... [7:53024]
Is it possible that you are doing a dump on a link that the packet must transverse to and fro to get to the destination. You stated that you did this dump off of one of your core switches. I'm assuming your spanning or port mirroring the port or vlan possibly. If these PC's are on separate networks..see what I'm saying. Well if you don't here goes. If you have a switch connected to a router using some kind of trunking capability(or internal router) and the user's are on separate VLAN/subnets. They must cross the router to get to each other. Thus when you do a dump you will see the same packet come across twice. If you have a protocol analyzer you should see the mac address change as it crosses the router. I only believe my theory to be true if the PC's are on separate sub networks. Hope this helps D -Original Message- From: Neil Desai [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 11, 2002 11:59 AM To: [EMAIL PROTECTED] Subject: Re: Duplicate packets with same SEQ #'s... [7:53024] We have a similar situation in our network. We have proxy arp turned on and it is causing the same thing. Neil ""r34rv13wm1rr0r"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > This is from a tcpdump off of one of my core switches. It appears that it is > logging a duplicate packet with the same SEQ #. Does any one have any idea > why this is occuring? > > Thanks, > > A > > 11:18:04.688408 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 1:65(64) ack > 49 > win 8320NBT Packet (DF) > 11:18:04.688409 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 1:65(64) ack > 49 > win 8320NBT Packet (DF) > > 11:18:04.688643 172.X.103.10.netbios-ssn > 172.X.15.15.1503: P > 158405518:158405625(107) ack 1210141117 win 8608NBT Packet (DF) > 11:18:04.688644 172.X.103.10.netbios-ssn > 172.X.15.15.1503: P 0:107(107) ack > 1 win 8608NBT Packet (DF) > > 11:18:04.688645 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 65:119(54) ack > 98 win 8271NBT Packet (DF) > 11:18:04.688646 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 65:119(54) ack > 98 win 8271NBT Packet (DF) > > 11:18:04.63 X.X.6.3.http > 172.X.14.50.1123: . ack 4294967295 win 8155 > (DF) > 11:18:04.65 X.X.6.3.http > 172.X.14.50.1123: . ack 4294967295 win 8155 > (DF) > > 11:18:04.66 172.23.27.10.3021 > 172.X.15.10.netbios-ssn: P > 3194256684:3194256844(160) ack 95965178 win 7515NBT Packet (DF) > 11:18:04.67 172.23.27.10.3021 > 172.X.15.10.netbios-ssn: P 0:160(160) ack > 1 win 7515NBT Packet (DF) > > 11:18:04.68 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 119:173(54) > ack > 147 win 8222NBT Packet (DF) > 11:18:04.69 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 119:173(54) > ack > 147 win 8222NBT Packet (DF) > > 11:18:04.688890 172.X.15.15.1503 > 172.X.103.10.netbios-ssn: P 1:161(160) ack > 107 win 7996NBT Packet (DF) > 11:18:04.688891 172.X.15.15.1503 > 172.X.103.10.netbios-ssn: P 1:161(160) ack > 107 win 7996NBT Packet (DF) > > 11:18:04.689183 172.X.15.10.netbios-ssn > 172.23.27.10.3021: P 1:129(128) ack > 160 win 8138NBT Packet (DF) > 11:18:04.689185 172.X.15.10.netbios-ssn > 172.23.27.10.3021: P 1:129(128) ack > 160 win 8138NBT Packet (DF) > > 11:18:04.689186 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 173:255(82) > ack > 196 win 8173NBT Packet (DF) > 11:18:04.689187 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 173:255(82) > ack > 196 win 8173NBT Packet (DF) > > 11:18:04.689188 172.X.15.151.ssh > 172.X.53.186.1219: P > 2849560709:2849560801(92) ack 2980294350 win 9648 (DF) [tos 0x10] > 11:18:04.689189 172.X.15.151.ssh > 172.X.53.186.1219: P 0:92(92) ack 1 win > 9648 (DF) [tos 0x10] > > 11:18:04.689192 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 255:309(54) > ack > 245 win 8124NBT Packet (DF) > 11:18:04.689193 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 255:309(54) > ack > 245 win 8124NBT Packet (DF) > > 11:18:04.689608 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 309:363(54) > ack > 294 win 8075NBT Packet (DF) > 11:18:04.689609 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 309:363(54) > ack > 294 win 8075NBT Packet (DF) > > 11:18:04.689610 172.X.243.6.printer > 172.X.240.10.723: . ack 4096314569 win > 2144 > 11:18:04.689610 172.X.243.6.printer > 172.X.240.10.723: . ack 1 win 2144 > > 11:18:04.689611 172.X.53.186.1219 > 172.X.15.151.ssh: P 1:45(44) ack 92 win > 16724 (DF) > 11:18:04.689612 172.X.53.186.1219 > 172.X.15.151.ssh: P 1:45(44) ack 92 win > 16724 (DF) > > 11:18:04.689614 172.X.61.103.1066 > 172.X.15.49.netbios-ssn: P 294:343(49) > ack > 363 win 7380NBT Packet (DF) [tos 0x4] > 11:18:04.718183 172.X.61.103.1066 > 172.X.15.49.netbios-ssn: P 6762:6811(49) > ack 8223 win 8397NBT Packet (DF) [tos 0x4] > > 11:18:04.718187 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 8223:8287(64) > ack 6811 win 7438NBT Packet (DF) > 11:18:04.718188 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 8223:8287(64) > ack 6811 win 7438NBT Packet (DF) > > 11:18:04.718423 172.X.15.49.netbios-ssn > 172.X.61.103.1066: P 8287:8341(54)
