We’re troubleshooting some client performance/stability issues and I have been looking at a lot of ZCC packet captures recently. I’ve noticed that every sent/outbound TCP packet is duplicated in the PCAP (within milliseconds of the original send, so I doubt these are retries).
Is this a known issue? Can it be corrected? It’s a real hassle to grab a PCAP and then have it full of meaningless red. It’s even worse if you show it to another vendor who uses it as an easy excuse to point the finger at Zscaler.
The duplicate packets aren’t “real” in the sense that they are seen on the wire. It’s how some of the internals of Client Connector works.
You should be able to filter these packets out by using a display filter of ip.checksum > 0x0006. Then you can File > Export Specified Packets > Displayed and save as a new pcap. Open that pcap for a cleaner view.
Thank you, great hint. I found that had to use ip.checksum != 0x0001 instead of ip.checksum > 0x0006 (that wiped out the incoming packets), but I’ve got a much cleaner file now.
