Duplicate Packet Filtering
Let’s take a quick moment to work through the steps of cleaning out a trace file that contains duplicate packets. This screenshot is of a capture with a duplicate of every frame in the trace. A couple things can cause this – switch VLAN SPANs are a common cause. Another possibility is tapping in multiple locations within a stream.
What’s Happening Here
In the example above, you can see that Wireshark is interpreting each duplicate packet as either [TCP Out-of-Order], [TCP Dup Ack], or [TCP Retransmission]. This is standard behavior and really is just a very literal interpretation of what’s happening in the trace.
Let’s walk through the trace to explain this more:
- (Frame No. 1) First SYN comes from the source to destination.
- (Frame No. 2) This frame is a duplicate. Wireshark expects the next frame from this host to have an increased sequence number from 0. Since the switch sent the same frame immediately, the second frame still has a Seq number of 0, Wireshark labels it as Out-of-Order.
- (Frame No. 3) This is the SYN/ACK from the destination.
- (Frame No. 4) This frame is a duplicate of frame 3. Again, Wireshark expects the frame after frame three coming from this destination to have an incremented sequence number. Since it doesn’t, it is labeled as out of order.
This process continues on throughout the trace with the frames being labeled as either [TCP Dup ACK] or [TCP Retransmission].
How Can I Fix It?!
There are a couple options for editing your trace file after it’s been collected.
Wireshark Display Filter
The first option is to create a Wireshark display filter that will filter out frames that match the Out-of-order, Dup ACK, and Retransmission criteria. This option will filter out all traffic that has these flags set. Use this only when you are not trying to troubleshoot retransmission issues!
!expert.message == "Retransmission (suspected)" && !expert.message == "Duplicate ACK (#1)" && !expert.message == "Out-Of-Order segment"
The next (really best) option is to run your trace file through editcap.exe. Editcap is bundled with Wireshark and is executed from the same folder location. Editcap is a wildly useful tool for many things other than just deduplication. Take a moment to read through the documentation to get a better feel for it.
editcap.exe -d source_file_name.pcap destination_file_name.pcap