Re: Duplicate use of IP detected

[Soju Master <sojumaster () gmail com>]

Thank you very much for all your help.  I can to work this morning and after
further tracking down the problem, found out the new servers are using load
balancing.  (Of course, the other division in charge in installing the
servers failed to notify us in the networking division of this little fact.
lol)

Stephen

On Sun, Jun 6, 2010 at 4:36 PM, Martin Visser <martinvisser99 () gmail com>wrote:

> Just remember there are a number of situations where multiple devices using
> (or reusing) the same IP address is normal (some of which are outlined in
> this thread). Unfortunately Wireshark stops it's analysis at OSI layer 7. It
> can't see Layer 8 and above (human ingenuity, operational changes, system
> restarts,  change in policy, and so on) so it is up to you to use the tool
> to work out whether it is being applied correctly.
>
> In a very long capture if an IP address moves from one MAC to another MAC
> and then sends 200 packets. You could argue that either there is one
> duplicate use, and then the IP address has moved to the new IP address, or
> 200 duplicates of the old IP address.
> There may be some rationalisation along this lines when you reopened the
> capture.
>
> Regards, Martin
>
> MartinVisser99 () gmail com
>
>
>   On Mon, Jun 7, 2010 at 2:55 AM, Soju Master <sojumaster () gmail com>wrote:
>
> > I do have a few systems in my network that have teaming NICs, I will have
> > to check it when I get to work tomorrow.
> >
> > I am suspecting that it might be teaming NIC's based on the very simular
> > NIC addys:
> >
> > Duplicate IP address detected for 10.0.1.181 (00:22:19:80:72:79) - also in
> > use by 00:22:19:80:72:7b (frame 4515)
> > Duplicate IP address detected for 10.0.1.180 (00:22:19:80:75:35) - also in
> > use by 00:22:19:80:75:37 (frame 4566)
> >
> > Another thing that I did notice though, when I first ran the scan at work,
> > I had about 200 or so frames, in the live scan, complaining about the
> > duplicate use of an IP.
> > When I saved the scan and looked at it at home, only two frames had the
> > error message.  Is this normal for Wireshark?
> >
> > Thanks
> >
> >
> >
> > On Sun, Jun 6, 2010 at 9:22 AM, Ian Schorr <ian.schorr () gmail com> wrote:
> >
> > > If you can see two MAC addresses claiming to be the same IP address
> > > (and therefore dupe IP situation), you can follow the CAM/MAC tables
> > > in your switch to specifically locate the ports the two systems are
> > > connected to.
> > >
> > > If you suspect a duplicate IP address situation, filter on
> > > "ip.addr==<IP address>".  See if it's immediately obvious that there
> > > are two systems sharing the same IP.  If not, filter one out by adding
> > > " && !eth.addr==<mac address of the system that you can see in the
> > > trace".  You may want to add an "&& arp" as well.  If there's truly
> > > another MAC claiming to be that IP address, you should see it here,
> > > and be able to track down the ports of the two MACs.
> > >
> > > If the MAC addresses are very similar (i.e. first 5 bytes are the
> > > same, or otherwise differ by a value of 1 or so) then there's a good
> > > chance that you're dealing with a teaming NIC.
> > >
> > > -Ian
> > >
> > > On Sun, Jun 6, 2010 at 1:48 AM, Jaap Keuter <jaap.keuter () xs4all nl>
> > > wrote:
> > >  > Hi,
> > > > Teamed network interfaces, maybe?
> > > >
> > > > Thanks,
> > > > Jaap
> > > >
> > > > On Sat, 5 Jun 2010 10:13:40 -0400, Soju Master <sojumaster () gmail com>
> > > wrote:
> > > > I was running a scan and started to notice these summaries:
> > > >
> > > > AsustekC_ad:e3:e7     Dell_80:75:35     ARP     10.0.1.35 is at
> > > > 00:1a:92:ad:e3:e7 (duplicate use of 10.0.1.180 detected!)
> > > > Dell_9d:29:af     Dell_80:72:79      ARP      10.0.1.230 is at
> > > > 00:23:ae:9d:29:af (duplicate use of 10.0.1.181 detected!)
> > > >
> > > > I have done the obligatory research to see if there is a duplicate IP
> > > on the
> > > > network and could not find any.
> > > >
> > > > Anyone know what this message means?
> > > >
> > > > Thanks
> > >  >
> > > ___________________________________________________________________________
> > > > Sent via:    Wireshark-users mailing list <
> > > wireshark-users () wireshark org>
> > > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > > >             mailto:wireshark-users-request () wireshark org
> > > ?subject=unsubscribe
> > > >
> > >
> > > ___________________________________________________________________________
> > > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org
> > > >
> > > Archives:    http://www.wireshark.org/lists/wireshark-users
> > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> > >             mailto:wireshark-users-request () wireshark org
> > > ?subject=unsubscribe
> >
> >
> >
> > ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >             mailto:wireshark-users-request () wireshark org
> > ?subject=unsubscribe
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe