How to remove duplicate packets from saved captures
Duplicate packets are packets that are captured twice or multiple times by Observer. Typically, duplicates are a result of how data is sent to Observer .
For a switch, the use of a SPAN/mirror port and/or trunk is required to capture data. Knowing this, the following scenarios may produce duplicate packets—which are then seen by Observer:
If a SPAN/mirror port is configured to send both ingress (in) and egress (out) data from multiple ports, any communication between any two ports being monitored results in a duplicate packet.
If a trunk is monitoring multiple VLANS, data flowing between VLANS is seen as duplicate packets.
If Observer is monitoring data pre- and post-route. Meaning, a single packet is seen at one location pre-route and again post-route. The post-route packet is considered by Observer as a duplicate packet.
While this is harmless as it pertains to your network working correctly, Observer identifies these as duplicate packets. There are two ways of dealing with this situation:
Configure the SPAN/mirror port or trunk to show only ingress or egress traffic, but not both.
Use Observer to remove duplicate packets from an existing capture file.
Observer includes a feature that removes the “noise” caused by duplicate packets without affecting the underlying packet capture data. This feature is a special version of the standard capture buffer file-loader. To remove duplicate packets (i.e. skip them) while loading a capture buffer file, complete the following steps:
2. Type, or navigate to, the capture file you want to load.
3. Select your criteria for how duplicate packets are handled.
Skip duplicate packets only when packet time difference is less than
During evaluation, packets are only compared against packets that arrived at nearly the same time, or specifically during a time difference less than N-milliseconds. Setting this can help avoid some false-positive results, but you may need to experiment with the value.
Data link layer
If selected, layer 2 of the OSI Model is ignored when determining duplicate packets. For example, MAC addresses would not be examined when determining if a packet is a duplicate. They are ignored, but the rest of the packet is not.
IP time to live (TTL)
If selected, the time to live (TTL) value in packets would not be examined when determining if a packet is a duplicate. This is useful to select when the same packets makes multiple hops through routers.
IPv4 type of service or IPv6 traffic class
If selected, type of service (ToS) and traffic class (for IPv6) would not be examined when determining if a packet is a duplicate. The option is most useful when network hardware or software is changing these quality of service fields.
TCP sequence and acknowledgement numbers, and TCP options
If selected, TCP sequence and acknowledgement numbers, and also TCP options, are not would not be examined when determining if a packet is a duplicate. Overall, this ignores the ordering of the packets and the values of optional packet fields.
4. Click OK.
The capture file loads into Observer and you arrive at the Decode and Analysis tool.
5. If duplicate packets are still visible, repeat the process and select different duplicate packet handling criteria.
Duplicate packets should now be skipped/ignored in your capture file. No permanent changes are made to your loaded capture file.
If you want to make your changes permanent, save your results as a new capture file.