Re: Packets in different VLANS flagged as duplicated Packets in RTP Stream Analysis

[Jaap Keuter <jaap.keuter () xs4all nl>]

Hi,

This is hard to solve in a generic way. There are multiple ways in which 
networks can be multiplexed, which then all have to be taken into account.
I'm thinking of VLAN, VLAN (in VLAN)+, MPLS, L2TP, PPPoX, pcap-ng, etc.

What you may be able to do is capture from a vlan interface i.s.o. the physical 
interface. So -i eth1.1 i.s.o -i 2. But I guess you cannot, because of a need to 
capture the full trunk?

Thanks,
Jaap


On 08/10/2012 03:19 PM, John Powell wrote:
> That certainly does look the same scenario - as the last update was 2010 can I
> assume that this will not be fixed any time soon?
>
> On Fri, Aug 10, 2012 at 7:10 AM, <mmann78 () netscape net
> <mailto:mmann78 () netscape net>> wrote:
>
>     I believe you're referring to this bug:
>     https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=4561
>     -----Original Message-----
>     From: John Powell <jrp999 () gmail com <mailto:jrp999 () gmail com>>
>     To: Developer support list for Wireshark <wireshark-dev () wireshark org
>     <mailto:wireshark-dev () wireshark org>>
>     Sent: Fri, Aug 10, 2012 8:58 am
>     Subject: Re: [Wireshark-dev] Packets in different VLANS flagged as
>     duplicated Packets in RTP Stream Analysis
>
>     Hi Everyone,
>
>     I should have noted the following:
>
>       * I am running Wireshark 1.8.1 (compiled from source) under CentOS 6.3.
>
>       * Dumpcap command command line is:
>
>
>     /usr/local/bin/dumpcap -B 32 -i 2 -f vlan and (not vrrp and not udp port
>     1985 and not ether host 01:00:0c:cc:cc:cc) -b files:1200 -b filesize:250000
>     -b duration:900 -w /var/opt/data/captures/eth1.cap
>
>     Thanx in advance for any guidance!
>
>     John
>
>
>     On Fri, Aug 10, 2012 at 6:48 AM, John Powell <jrp999 () gmail com
>     <mailto:jrp999 () gmail com>> wrote:
>
>         Hi Everyone,
>
>         I am running Dumpcap as a service.
>
>         My users have told me that when they select a packet capture then select
>         Telephony - RTP - Show all Streams that it indicates packets are being
>         duplicated (negative packet loss).
>
>         For the packets being duplicated (negative packet loss), I discovered
>         that there are in fact 2 packets being seen by Wireshark with the same
>         SRC/DST IP Addresses and the same ID number BUT different VLANS tags.
>
>         Is this an error in Wireshark that should be fixed or is there some way
>         to configure Wireshark to look at the VLAN tag as well as the ID number
>         before determining a packet is duplicated?
>
>         Thanx alot!
>
>         John

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe