Reza... Here is an idea, but it will only dump the duplicate packet (not the original) and it is set for TCP only. No UDP equivalent that I know of.
tshark -R tcp.analysis.retransmission -w <filename> Use the capital 'R' to indicate you are using display filter syntax. The retransmissions are defined as TCP packets that contain data but use the same sequence number. There is some checking done to ensure the packets are not just out-of-order packets (which is probably not typical anyway). I think the TCP.analysis.duplicate_ack will only show you that a receiver has noticed a missing segment and is re-acking for the missing segment. A good thing to know, but it seems you are more interested in duplicate data packets (UDP-based application?)... Hope that helps... Laura [EMAIL PROTECTED] This message is intended only for the use of the addressee and may contain information that is privileged and confidential. If you are not the intended recipient, you are hereby notified that any use and/or dissemination of this communication is strictly prohibited. If you have received this communication in error, please delete all copies of the message and its attachments and notify the sender immediately. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fardid, Reza Sent: Tuesday, January 16, 2007 5:58 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Duplicate Packet ID Hi Hans, How does it identify duplicates? Is there a UDP equivalent? Thanks, -Reza -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hans Nilsson Sent: Monday, January 15, 2007 11:46 PM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Duplicate Packet ID How about "tcp.analysis.duplicate_ack". On Mon, 15 Jan 2007 14:29:56 -0800, "Fardid, Reza" <[EMAIL PROTECTED]> said: > Hi, > > > > Is there a mechanism in T(ethereal) for identification (e.g., using > Frame Check) and filtering (capture or display) of duplicate packets? > > I realize there is a performance penalty to pay for such capture > filtering, if supported. > > > > Thanks, > > -Reza > > > > > > > -- Hans Nilsson [EMAIL PROTECTED] -- http://www.fastmail.fm - Or how I learned to stop worrying and love email again _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users