none
Why are UDP messages listed twice, with only the Ethernet Source and Dest MACs swapped? RRS feed

  • Question

  • I get duplicate UDP messages in both directions for every message. My client and server are both on the same 192.168.1.2 machine, so I did a “route add 192.168.1.2 192.168.1.1” to get traffic to show up in netmon 3.4.

    An example of this duplication is below. [00-24-E8-33-84-99] is my Ethernet card, but I don’t know what the flip side [A0-21-B7-97-F2-EA] is. These MACs are swapped in each duplicated pair, otherwise nothing else is different.

    What is [A0-21-B7-97-F2-EA]? And how do I configure things so the duplication stops? Is there a better way to make traffic show when on the same machine?

    -------------------------------

    Frame: Number = 645, Captured Frame Length = 57, MediaType = ETHERNET

    - Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[A0-21-B7-97-F2-EA],SourceAddress:[00-24-E8-33-84-99]

      - DestinationAddress: A021B7 97F2EA [A0-21-B7-97-F2-EA]

         Rsv: (101000..)

         UL:  (......0.) Universally Administered Address

         IG:  (.......0) Individual address (unicast)

      - SourceAddress: 0024E8 338499 [00-24-E8-33-84-99]

         Rsv: (000000..)

         UL:  (......0.) Universally Administered Address

         IG:  (.......0) Individual address (unicast)

        EthernetType: Internet IP (IPv4), 2048(0x800)

    + Ipv4: Src = 192.168.1.2, Dest = 192.168.1.2, Next Protocol = UDP, Packet ID = 16710, Total IP Length = 43

    + Udp: SrcPort = 61754, DstPort = 7000, Length = 23

    -------------------------------

      Frame: Number = 646, Captured Frame Length = 60, MediaType = ETHERNET

    - Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[00-24-E8-33-84-99],SourceAddress:[A0-21-B7-97-F2-EA]

      - DestinationAddress: 0024E8 338499 [00-24-E8-33-84-99]

         Rsv: (000000..)

         UL:  (......0.) Universally Administered Address

         IG:  (.......0) Individual address (unicast)

      - SourceAddress: A021B7 97F2EA [A0-21-B7-97-F2-EA]

         Rsv: (101000..)

         UL:  (......0.) Universally Administered Address

         IG:  (.......0) Individual address (unicast)

        EthernetType: Internet IP (IPv4), 2048(0x800)

        UnknownData: Binary Large Object (3 Bytes)

    + Ipv4: Src = 192.168.1.2, Dest = 192.168.1.2, Next Protocol = UDP, Packet ID = 16710, Total IP Length = 43

    + Udp: SrcPort = 61754, DstPort = 7000, Length = 23

    Wednesday, December 5, 2012 7:18 AM

All replies

  • Hi,

    I'd assume the other Mac address is for your router?  You're seeing the duplicate packet as everything is bouncing off your router, so you'll see the packet destined to your machine leaving and entering your box through the NDIS system with Network Monitor is reading from.

    You'll just have to apply a filter to reduce the noise.  For instance, filtering on your mac address as the source address only.

    The other option is to look at our beta of Message Analyzer which uses the ETW system instead.  That way you can record data from various points on your machine like the Firewall stack which will show you loopback traffic such as this.

    Thanks,


    Michael Hawker | Program Manager | Network Monitor

    Wednesday, December 5, 2012 10:06 PM
    Moderator
  • Another possibility is that the QOS driver can cause this duplicated traffic to happen as well.  You could test by disabling QOS and see if this resolves your issue.

    Thanks,

    Paul

    Thursday, December 6, 2012 8:32 PM