1
I have a Wireshark log from a computer that was running Ubuntu and tshark. The computer has two NICs and I've connected them to a bridge (using /etc/network/interfaces) and gave that bridge a static address. Then I ran tshark to record traffic in promisc mode on all interfaces (on the special "all device", which should be eth0, eth1 and br0 for the bridge).
Now I'm investigating the logs and I see that almost one half (or little bit more or less) of the traffic is classified as TCP retransmission or duplicate ACKs. We had some serious network problems, but not all the time.
When I look at the retransmitted packets, they are often sent right after the "original" packet was sent (in terms of miliseconds or less). I think this is much less than the retransmission delay in the network.
I've made a hypothesis I want to confirm. Since the computer has two NICs bridged together and records in promisc mode, then it processes all the packets, and every packet gets logged once when it is received on eth0, and it is logged second time when it is transmitted further over eth1. That millisecond delay could be for processing or whatever on the machine.
The suspect packets are the same except Ethernet frame number.
What do you think about my hypothesis? How can I prove/disprove it?
Martin Pecka
Posted 2014-10-07T14:35:00.467
Reputation: 643
I agree with your hypothesis. – wurtel – 2014-10-07T14:46:14.550
@wurtel And could you please explain why I don't see each packet 3 times? Once from eth0, once from eth1 and once from br0? – Martin Pecka – 2014-10-07T14:51:21.687
1No idea, although I'd suppose that setting br0 promiscuous leads to the underlying physical interfaces being set promisc. and then packets get captured from the physical interfaces. As a packet can only be captured once from a physical interface, adding br0 to the mix is redundant. I'd guess to get the same results with just br0, or eth0 together with eth1. – wurtel – 2014-10-07T14:56:36.003