Duplicate Packet Filtering

Let's take a quick moment to work through the steps of cleaning out a trace file that contains duplicate packets.  This screenshot is of a capture with a duplicate of every frame in the trace.  A couple things can cause this - switch VLAN SPANs are a common cause.  Another possibility is tapping in multiple locations within a stream. What's Happening Here In the example above, you can see that Wireshark is interpreting each duplicate packet as either [TCP Out-of-Order], [TCP Dup Ack], or [TCP Retransmission].  This is standard behavior and really is just a very literal interpretation of what's happening in the trace. Let's walk through the trace to explain this more: (Frame No. 1) First SYN comes from the source to destination. (Frame No. 2) This frame is a duplicate. Wireshark expects the next frame from this host to have an increased sequence number from 0.  Since the switch sent the same frame immediately, the second frame still has a Seq number of 0, Wireshark labels it as Out-of-Order. (Frame No. 3) This is the SYN/ACK from the destination. (Frame No. 4) This frame is a duplicate of frame 3.  Again, Wireshark expects the frame after frame three coming from this destination to have an incremented sequence number.  Since it doesn't, it is labeled as out of order. This process continues on throughout the trace with the frames being labeled as either [TCP Dup ACK] or [TCP Retransmission]. How Can I Fix It?! There are a couple options for editing your trace file after it's been collected. Wireshark Display Filter The first option is to create a Wireshark display filter that will filter out frames that match the Out-of-order, Dup ACK, and Retransmission criteria.  This option will filter out all traffic that has these flags set.  Use this…

Read More

Automate It – Gigamon Backups

In this post we'll look at automation and management of Gigamon backup files using Python.  We're going to whip up  two separate scripts using Python to pass a couple commands to each of the H-series and 2404 models of Gigamon appliances in your network.  This script will log into each of the appliances and tell them to upload the config to an SCP server. What will you need? First, you’re going to need a Linux box running Python 2.7.  This particular script makes use of pexpect which will need to be run from within a Bash prompt.  You will also need an SCP server to collect the configs.  Finally, you will need to provide two files as lists of hostnames of devices you would like to backup.  These files should be named gmnlist_h_series.txt and gmnlist_2404.txt. H-Series Script #!/usr/bin/env python import pexpect import fileinput import time import argparse #assign arguments parser = argparse.ArgumentParser(description='This script runs the backup operation for Gigamons. It requires a file called gmnlist_h_series.txtnto be in the directory from which it's run.') parser.add_argument('-u', help='SCP Username') parser.add_argument('-s', help='SCP Server') parser.add_argument('-p', help='SCP Password') args = parser.parse_args() arg_username = args.u arg_password = args.p #assign variables to aruguments scp_server = args.s scp_username = args.u scp_password = args.p #main function to backup config file for H series def run_h(): try: child = pexpect.spawn ('ssh %s' % line) child.expect ('Password:') child.sendline ('%srn' % scp_password) child.expect ('w+ >') child.sendline ('enrn') child.expect ('w+ #') child.sendline ('config trn') child.expect ('w+ #') child.sendline ('config upload active scp://%s:%s@%s/home/%s/%s.cfgrn' % (scp_username, scp_password, scp_server, scp_username, line) ) child.expect ('w+ #') child.sendline ('quit') print line, 'successful' except: print line, 'failed' #read the file gmnlist_h_series.txt for line in fileinput.input(['gmnlist_h_series.txt']): line = line.rstrip('n') run_h() 2404 Script #!/usr/bin/env python import pexpect import fileinput import time import argparse #assign arguments parser = argparse.ArgumentParser(description='This script runs the backup…

Read More