cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

DNA - Duplicate Frames. Why?

genesius_jarom1
Organizer

Hello,

In my trace there are many, many duplicates. According to Duplicate frame error
DNA is either capturing from several NICs that saw the same packet, or
the driver reported the same packet twice. Besides the ManagementIP NIC,
which does not have the driver installed on, there is only 1 NIC. How
do I resolve the driver reporting the same packet twice?

Thanks and God bless,

Genesius

12 REPLIES 12

ulf_thornander3
Inactive

Hi Genesius

I hadn't seen that particular page Before but it accidentaly misses to mention that a bad setup of a SPAN can cause the duplicate packets to turn up.

Are you using SPAN to capture the data?

There are a couple of ways around the problem

Either you use the POWER tool and simply remove the duplicates, or you can use the capture agents and install them on the hosts you want to look at.

genesius_jarom1
Organizer

@Ulf T.

Yes. The customer has SPAN of 2 Vlans setup. Each Vlan has one of the servers in the communication I am capturing.

Unfortunately, I don't have control over the servers in this scenario; and the they do not want agents installed on their servers.

PowerTools is not working. I receive the below error when I try to remove duplicates.

Thanks and God bless,

Genesius

(We've addressed the issue through JIRA and it looks a clean reinstall fixed the power tool problem.)

ulf_thornander3
Inactive

Hi

So the source of your problem is the SPAN.

If POWER Tools is not working, there is some change going on as the packets travels through the switch even though the details are not caught by the SPAN. Most likely (and most common) is that the packets are going from one VLAN to Another and that the SPAN isn't set up to include VLANs.

Either you can change the SPAN or alternatively open a ticket with a small sample of the trace as the POWER Tools "should" pick up that the packets are to near in time to really be duplicates.

genesius_jarom1
Organizer

@Ulf T.

The trace contains PII, so I cannot provide it.

Yes, there is inter-Vlan routing occurring on the switch. The Vlan tags are removed before the traffic leaves the SPAN port and is captured by the agent PC. Should I have the network engineer leave the tags on?

Thanks and God bless,

Genesius

ulf_thornander3
Inactive

Always try to have as complete trace as possible. Else it's like trying to guess a car plate from the inside.

mike_hicks
Inactive

HI Genesius,

As Ulf correctly states the issue with your duplicates is almost certainly a result of the SPAN configuration. Essentially what happens when you configure a system to SPAN a VLAN is the system makes a copy of the packet every time it crosses a boundary, and assuming you have also then set the SPAN to be "both" ingress and egress this means that you are likely to get up to four copies of the same packet. Configuring the destination as trunk to retain the VLAN tags isn't going to reduce the generation of duplicate frames, and has no impact on DNA's ability as it essentially looks to see if two or more packets within a task share the same IP id, and then allows you to either remove them all or remove them individually. You can reduce the number of duplicates the SPAN creates altering the SPAN config to not necessarily simply SPAN the VLAN but rather reduce the port count or if you know the flows do a combination of RX or TX only on selected paired interfaces.

Best Regards

Mike

genesius_jarom1
Organizer

Thanks @Mike H..

However, once I have PowerTools working again, will it remove those duplicates; or will it look at the MAC addresses and see the packets are not duplicates?

When PT removes duplicates, how does it decide which duplicates to remove?

Thanks and God bless,

Genesius

tomasz_szulist
Inactive

Hi Genesius,

The algorithm basically checks if two or more packets share the same IP ID.

Regards,

Tomek

ulf_thornander3
Inactive

And @Tomasz S. - I beleive that algorithm then removes the last instances of the packet - right?

Genesius - what happens when you try to run the tool?

Correct. First captured packet stays intact, the rest gets removed.

mike_hicks
Inactive

Hi Genesius,

As Tomek states the DNA duplicate packet algorithm, checks to see if two or more packets share the same IP ID, essentially irrespective of the MAC address, and then gives you option to delete all or selectively.

Best Regards

Mike