[Winpcap-users] Double packets

Thu Dec 8 13:47:48 PST 2011

I'm running Win XP 64 and I do have a VPN Client (NCP) installed (thought not on right now).

windump version 3.9.5

winpcap version 4.1.2

I'm seeing double outgoing packets like this when running windump on this machine.

048261 IP 192.168.1.103.2906 > 74.125.225.82.443: . ack 514 win 65016 <nop,nop,timestamp 273888 1857597007>
000027 IP 192.168.1.103.2906 > 74.125.225.82.443: . ack 514 win 65016 <nop,nop,timestamp 273888 1857597007>
100523 IP 192.168.1.103.2919 > 74.125.225.82.443: . ack 545 win 65069 <nop,nop,timestamp 273889 1857597112>
000018 IP 192.168.1.103.2919 > 74.125.225.82.443: . ack 545 win 65069 <nop,nop,timestamp 273889 1857597112>

Has anybody else seen something like this?  They don't appear to be actually leaving in duplicate form.  If I ping a place I'll see 2X packets go out but only 1X packets returned.  Like this:

windump -n -ttt -i 2 host 72.14.204.103
windump: listening on \Device\NPF_{8F0B5622-AE23-4219-ACBE-6DC2FC129CC2}
000000 IP 192.168.1.103 > 72.14.204.103: ICMP echo request, id 768, seq 10240, length 40
000028 IP 192.168.1.103 > 72.14.204.103: ICMP echo request, id 768, seq 10240, length 40
043099 IP 72.14.204.103 > 192.168.1.103: ICMP echo reply, id 768, seq 10240, length 40
956474 IP 192.168.1.103 > 72.14.204.103: ICMP echo request, id 768, seq 10496, length 40
000042 IP 192.168.1.103 > 72.14.204.103: ICMP echo request, id 768, seq 10496, length 40
042644 IP 72.14.204.103 > 192.168.1.103: ICMP echo reply, id 768, seq 10496, length 40
958303 IP 192.168.1.103 > 72.14.204.103: ICMP echo request, id 768, seq 10752, length 40
000030 IP 192.168.1.103 > 72.14.204.103: ICMP echo request, id 768, seq 10752, length 40
041623 IP 72.14.204.103 > 192.168.1.103: ICMP echo reply, id 768, seq 10752, length 40
960278 IP 192.168.1.103 > 72.14.204.103: ICMP echo request, id 768, seq 11008, length 40
000025 IP 192.168.1.103 > 72.14.204.103: ICMP echo request, id 768, seq 11008, length 40
042326 IP 72.14.204.103 > 192.168.1.103: ICMP echo reply, id 768, seq 11008, length 40

12 packets captured

Michael D. Black

Senior Scientist

Advanced Analytics Directorate

Advanced GEOINT Solutions Operating Unit

Northrop Grumman Information Systems
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.winpcap.org/pipermail/winpcap-users/attachments/20111208/1891ff44/attachment.html>