Win2k server generates duplicate IP packets

[routerman]

I'm a network engineer, from time to time I diagnose problems using a LAN analyser.

I seen several win2k servers on different customer sites generating 2 identical IP packets, even with the same IP id.
So say you trace a telnet session, to the server you see 1 packet, but the reply is 2 packets, and they contain identical data and IP id's. I've looked on MS KB, cannot see any reference to this all.

Has anyone else noticed this?

 

[haviv512]

1- Use two sniffers(network advisors, one right out of the client machine and another roght out of the server. Check if you see the phenomena. If you do not , the problem must be somewhere in the network.An equivalent experiment would be to cross connect direcly the client and the server.

2- So the problem seems to be in the network:
When the problem happens, see if it happens consistently all the time.
Assume it does: then now

You probably have a loop in your network somewhere.
If you look into the packet I am assuming you are seeing the same MAC address also !!
I would look where the MAC address are learnt by checking the ARP tables on the ports in the network.Most network managemet systems have a MAC address search utilities.

 

[routerman]

Hi, when I first saw this I was looking at a customer network which was based around Cisco Cat 6500 switches, the sniffer I was using was connect to a port that was set to mirror the server port. At the time I noted it but didnt really follow it up, thought it may have been due the way I was monitoring etc.

Anyway I'm now studying for win2k MCSE, and was looking at DNS operation, noted the same duplicate packets being output from my server. In this case the Sniffer package is running on the server, which is connected to another PC via a cross over cable. That PC also has another analyser package, I'll check it using that package.

It seems odd that no one has seen this.

 

[mojo31]

Haviv-If there was a loop I'm not sure you would see 2 packet reply's???

routerman-sounds like the servers may be in a cluster.

These must be UDP packets, because TCP packets have error check payload in the packet, where as UDP dosnt. It shouldnt happen if it is a TCP/IP packet.

 

[routerman]

What I see from the analyser is that the win2k box outputs 2 IDENTICAL packets each time it has one to send. The L4 protocol dosent matter, it still outputs 2 packets when it only needs to send 1.

When an IP stack builds frames for transmission each frame is given a number in the IP header, this is unique for each packet, unless the packet part of a fragmented packet stream. In this case the numbers are identical, I have only seen this on win2k.

I've just traced this again, its the same for the ARP, ICMP, UDP and TCP packets.

 

[wangirl]

I just experienced the same issue. I was analyzing traffic from 2 vlans. The span port on my switch was in one of the vlans that I was analyzing traffic in. Turns out this is the reason that I saw duplicate packets. One packet was the packet going from source to destination and the other was the copy of that packet being sent to the span port.

 

[routerman]

When I first saw this that was how I was monitoring the network, but in the current test enviroment I have 2 computers joined back to back over a cross over cable. The sniffer pro app is loaded onto the win2k box.

So I've just traced this again, the target PC also has a analyser running. The sniffer on the win2k box shows 2 packets sent, but the target only receives 1. Also if I run netmon on the win2k it only shows 1 packet sent and 1 received, which is what I would expect.

So I'll put this down to a duff network analyser setup or something specific to my testing.