how to recognize a duplicate packet ? in addition that it is marked in black in wireshark, what is its particularities (Sequence number, ACK...) Thanks in advance for your help
"True Duplicate" packets are completely identical, meaning that if you compare their bytes in the hex view you'll see that nothing changes when you jump between them in the packet list.
I distinguish between "True Duplicates" (created usually by the capture method of SPANing more than 1 port) and "Routed Duplicates" where you have differences like MAC-Addresses and VLAN IDs - those are also duplicates from TCP point of view but they're not byte-wise identical. In that case you might want to compare IP-Identification, 5-Tuples (SrcIP:SrcPort-DestIP:DestPort:L4Protocol) and sequence numbers. Comparing TCP/UDP payloads also often works.
Hey Jasper, will a "True" DUP ACK have the same ID# <ip.id> ? I am getting some DUP ACK's with no retransmit, but the ip.id's are incrementing. What about SEQ numbers, they would need to be the same also in order for it to be a DUP ACK, right?
First, no, the IP ID will be different, because the duplicate ACK is a TCP (layer 4) mechanism, and does not affect the increment of IP IDs on layer 3.
And yes, the sequence number needs to stay the same, but it is kind of a gray area - as far as I know Wireshark wouldn't mark a packet a duplicate ACK unless the sequence number and window size stays the same, but I would have to check the source code to be sure.
Comments