Outbound packets are seen twice

[Zebra2k]

Hi all,
For some reasons, when I use a sniffer tool to capture the network traffic on my machine (win2k server), I always saw twice for every packet comming to outside. Two packets are almost identical except its timestamps are different. I used many different sniffer tools (like ethereal, sniffer basic 4.5), I still saw the same problem. It happens only to the traffic orginated from the local machine, not to those that come from the other machines in the local network. If I sniff my machine's traffic from other machine, I see each outbound packet reported only once.
Does anyone know what wrong with my machine? Thanks for your help.

-zebra

 

[DrGreen26]

The timeout may be set too short. Example the TTL setting. Most devices default at 30ms, which is very short, so what happens is this:

My packet goes out, the receiving node receives it and sends a reply back that it received it. Problem is that if the confirmation packet takes longer to return, then that packet is resent.

If this appears to be causing some slowness on your network, you can try increasing this setting either at the router or server/pc level. Chances are, you may have some other problem that could be causing packets to resend.

The other question is, are you 100% certain that the packet is a duplicate? It may just be that multiple packets are going out for the same request that are actually a break down. Ie I make a URL request, but 2 actual packets are created to do this as opposed to one??

What you might want to do is capture packets for a period of time and see if the problem is persistent and happening all the time. If it is jut occasional then it might not be an issue.

My two cents worth..HTH


Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[Zebra2k]

Thanks Mark. The problem is very persistent, and happens at all time for both UDP or TCP packets. Both packets are pretty much identical, including the sequence and acknowledgement numbers. The only difference between them is the timestamp of each, which varies depending on the sniffer program. I can see this problem only when I run the sniffer program on the local machine. If I run it on a different machine and capture traffic comming from my machine, I don't see the problem. So it looks like the second packet doesn't go on the network, otherwise I would see two of them. It's just somehow reported twice.

 

[DrGreen26]

Hmm, that is odd. Do you have specific protocol stacks defined on the computers? IE TCP/IP, or IPX or Netbeui?? May need to confirm that what is going out is for one protocol stack. I have seen instances where netbeui may be loaded (for the life of me why did Microsoft create this). It in fact may actually send out packets as well.

The other thing to, is look at the services that are running, most windows machines when they are setup for fil and print sharing etc, will actually assume two roles. One as a workstation, and the second as a server.

Just some thoughts.

My background is with large scale Novell and NT networks, and one practice I have implemented in my career is to document all facets of the network from the devices that are installed, all the way down to detailed configurations and installation documentation. Tell you what, this has been a life saver and has allowed me to know how the traffic flows on the network from Point A to Point B and so forth. If I had a problem with a particular device, I could pull out the install document which has all the settings listed and go through and scrub it (wether it be a workstation or a server, or router/switch).

Other than being a TCP or UDP request...do you see where the TCP packet is followed by a UDP packet? Or is this where you see a TCP packet followed by a TCP Packet and so forth? Which applications are being used when this takes place?

Mark

Mark C. Greenwood, CNE
m_jgreenwood@yahoo.com

With more than 10 years experience to share.

 

[pansophic]

Are you limiting the number of inputs that the system is sniffing on? In ethereal you can specify a single interface, or all interfaces. You may want to specify just the one interface.

Also, what NIC are you using? I get some VERY strange results when sniffing on my wireless interface in Windows. Never happens in Linux, but I always only see one side of the conversation on Windows.

pansophic

 

[dilettante]

I think the NetBeui crud came from IBM actually.

 

[Zebra2k]

I am using Intel PRO Adapter. I set Ethereal so that it captures traffic on that interface. I don't see any mixture pattern of TCP or UDP packets. Actually, I have two machines having this problem. I rebuilt one of them, the problem on that machine went away. I don't want to rebuild the other one yet, because I really want to know what is going on with it.