This is normal behaviour for managed wireless networks, where the frame is encapsulated in 802.11 both to and from the WAP. If this is a copper or fiber net, are you certain you aren't seeing the effects of a funny bridge/VLAN/routing environment? Are the multiples being reported with identical timestamps? How about src MAC addresses?
g On Tue, 23 Dec 2003 09:43:56 -0600 "Kraus, Jeffery" <[EMAIL PROTECTED]> wrote: > The machine is Redhat 9, and it is just receiving frames from the network. > It does not have an IP address bound to the adaptor so it should not be > generating any frames itself. > > Here is the Kernal details: > uname -a > Linux usc-schaum-sniff 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 > i386 GNU/Linux > > Jeffery Kraus > Data Services Engineer > 773.216.3179 (cell) > 224.653.3720 (office) > 224.653.3766 (fax) > > > -----Original Message----- > From: Guy Harris [mailto:[EMAIL PROTECTED] > Sent: Friday, December 19, 2003 6:06 PM > To: Kraus, Jeffery > Cc: '[EMAIL PROTECTED]' > Subject: Re: [tcpdump-workers] Observing duplicate frame captures in > TCPDUMP > > > > On Dec 19, 2003, at 2:41 PM, Kraus, Jeffery wrote: > > > Whenever I run captures I always get every packet displayed twice. I > > have > > seen numerous emails regarding this issue, but no real fix. I am > > currently > > using eth4 as the capture interface and I do not have an IP address > > bound to > > it. > > On what OS are you running this? > > Is the machine running tcpdump sending or receiving those packets, or > is it just passively capturing other machines' traffic on a network? > - > This is the TCPDUMP workers list. It is archived at > http://www.tcpdump.org/lists/workers/index.html > To unsubscribe use mailto:[EMAIL PROTECTED] -- George Bakos Institute for Security Technology Studies - IRIA Dartmouth College [EMAIL PROTECTED] 603.646.0665 -voice 603.646.0666 -fax - This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
