Well, I did not come across any physical documentation from Cisco on this, but here are my Findings: I was observing the duplication of frames when running a port SPAN on a Catalyst 6509. The way I set up the port span was as such: "set span 4,5 3/8", which basically is saying SPAN ALL PORTS on VLAN 4 and 5 and puts those frames on port 3/8 (where my sniffer is).
It turns out that by doing this I am capturing BOTH INGRESS and EGRESS frames, and that is why I see duplicate frames. For Example, Router A wants to send Frame 1 to Router B. Both Routers have interfaces on VLAN 4, and are both plugged physically in the same Catalyst. When I run the SPAN port for VLAN 4, The SPAN port will receive Frame 1 sent by Router A, then will also receive the Frame 1 again when it is sent from it's Catalyst port to Router B. So by observing this, I have to be more selective in my SPAN logic. I now choose to SPAN individual ports instead of the entire VLAN, and that keeps the duplicate of frames from occurring. Hope this helps. Jeffery Kraus Data Services Engineer 773.216.3179 (cell) 224.653.3720 (office) 224.653.3766 (fax) -----Original Message----- From: Jacky Buyck [mailto:[EMAIL PROTECTED] Sent: Saturday, December 27, 2003 6:26 AM To: 'Kraus, Jeffery' Subject: RE : [tcpdump-workers] Observing duplicate frame captures in TCPDU MP Hi. I'm really interested by your problem because I've encounter the same one but with Nortel Switches. What Nortel wasn't abble to give us correct answer to this so if you have generic informations from CISCO I'm interrested. Thanks. JB -----Message d'origine----- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Kraus, Jeffery Envoyé : mercredi 24 décembre 2003 16:41 À : 'George Bakos' Cc : '[EMAIL PROTECTED]' Objet : RE: [tcpdump-workers] Observing duplicate frame captures in TCPDU MP In this scenario it is not 802.11. I have my Redhat 9 Box running TCPDUMP connected to a Cisco Catalyst 6509 using 10/100 CAT5e Ethernet on a port Spanning 2 VLANs. The Multiples frames are identical (every byte, MAC, IP, etc...) Although the timestamps are slightly different (off by less than a millisecond or so). It definitely seems to be an issue with the Cisco Span Port....I have connected a PC running Sniffer Pro and IRIS Sniffers, and are seeing the same thing. I will investigate this further with Cisco. Thank you all for your help. -----Original Message----- From: George Bakos [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 11:57 PM To: Kraus, Jeffery Cc: '[EMAIL PROTECTED]' Subject: Re: [tcpdump-workers] Observing duplicate frame captures in TCPDU MP This is normal behaviour for managed wireless networks, where the frame is encapsulated in 802.11 both to and from the WAP. If this is a copper or fiber net, are you certain you aren't seeing the effects of a funny bridge/VLAN/routing environment? Are the multiples being reported with identical timestamps? How about src MAC addresses? g On Tue, 23 Dec 2003 09:43:56 -0600 "Kraus, Jeffery" <[EMAIL PROTECTED]> wrote: > The machine is Redhat 9, and it is just receiving frames from the > network. It does not have an IP address bound to the adaptor so it > should not be generating any frames itself. > > Here is the Kernal details: > uname -a > Linux usc-schaum-sniff 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 > i686 i386 GNU/Linux > > > > -----Original Message----- > From: Guy Harris [mailto:[EMAIL PROTECTED] > Sent: Friday, December 19, 2003 6:06 PM > To: Kraus, Jeffery > Cc: '[EMAIL PROTECTED]' > Subject: Re: [tcpdump-workers] Observing duplicate frame captures in > TCPDUMP > > > > On Dec 19, 2003, at 2:41 PM, Kraus, Jeffery wrote: > > > Whenever I run captures I always get every packet displayed twice. I > > have > > seen numerous emails regarding this issue, but no real fix. I am > > currently > > using eth4 as the capture interface and I do not have an IP address > > bound to > > it. > > On what OS are you running this? > > Is the machine running tcpdump sending or receiving those packets, or > is it just passively capturing other machines' traffic on a network? > - > This is the TCPDUMP workers list. It is archived at > http://www.tcpdump.org/lists/workers/index.html > To unsubscribe use mailto:[EMAIL PROTECTED] -- George Bakos Institute for Security Technology Studies - IRIA Dartmouth College [EMAIL PROTECTED] 603.646.0665 -voice 603.646.0666 -fax - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED] - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
