Wireshark mailing list archives

Re: Wireshark V1.8.0 - analysing dual NIC capture

From: Jeff Morriss <jeff.morriss.ws () gmail com>
Date: Tue, 26 Jun 2012 16:56:07 -0400

On Tue, Jun 26, 2012 at 8:51 AM, Keith French <keithfrench () btconnect com> wrote:

Thanks for a really fantastic new release of Wireshark.

I have been trying out Wireshark V1.8.0 capturing on 2 NICs simultaneously using the .pcapng format. However, I am 
not really sure what I am expecting to see when analysing the trace.


The main thing is that you can get packets from 2 interfaces at the
same time.  No other real changes.

In the preferences I have ticked the "Capture packets in pcap-ng format" option.

My set up is this:-

I have a server running Wireshark that has 2 NIC cards.

NIC 1 - connected to an access port on Cisco 2950 switch 2. This NIC carries all normal server traffic, plus an ftp 
session to a device on Cisco 2950 switch 1 that I am using for test purposes.

NIC 2 - connected to a port on Cisco 2950 switch 1 that is monitoring the inter-switch trunk between the two 2950s 
via a span session.

If I take a trace just on NIC 1 - I see 18 ftp or ftp-data packets.

If I take a trace just on NIC 2 - I see 18 ftp or ftp-data packets.

If I take a trace on both NIC 1 & 2 - I see 36 ftp or ftp-data packets, so all looks good.

All of the duplicated packets in the capture from both NICs follow the original ones, but are shown as TCP 
Retransmissions.

Is this how the facility is designed to work when analysing such a trace?


Pretty much, yes.  The intent (I think) was just to allow capturing on
2 interfaces simultaneously (rather than having to run 2
Wiresharks/dumpcaps and then merge the traces offline).

But nothing was added to separate out potentially-duplicated traffic.
(The use case is more for multi-homed hosts.)
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Wireshark V1.8.0 - analysing dual NIC capture Keith French (Jun 26)
- Re: Wireshark V1.8.0 - analysing dual NIC capture Jeff Morriss (Jun 26)
  - Re: Wireshark V1.8.0 - analysing dual NIC capture Guy Harris (Jun 26)
    - Re: Wireshark V1.8.0 - analysing dual NIC capture Tamás Varga (Jun 27)
    - Re: Wireshark V1.8.0 - analysing dual NIC capture Guy Harris (Jun 27)
    - Re: Wireshark V1.8.0 - analysing dual NIC capture Tamás Varga (Jun 27)
    - Re: Wireshark V1.8.0 - analysing dual NIC capture Michael Tuexen (Jun 27)
  - Re: Wireshark V1.8.0 - analysing dual NIC capture Christopher Maynard (Jun 28)
    - Re: Wireshark V1.8.0 - analysing dual NIC capture Tamás Varga (Jun 29)