Re: Duplicate IPs

[Martin Visser <martinvisser99 () gmail com>]

If you have duplicate IPs being detected from ARP requests or responses it
will because the same IP addresses is seen having two MAC addresses. Once
you isolate the two MAC addresses using this IP address, you will want to
look at your switch forwarding database (sometime known as MAC address table
or CAM table depending on the vendor). For instance on Cisco switches "show
mac-address-table" will show you what interfaces the MAC addresses appear
on. While your Core switches might show a lot of this on say trunks going to
your edge switches, by repeating this process on the connected edge switch
you will eventually find the interfaces that directly connect to the
offending devices.

Just remember that this could also be due to a misconfigured proxy ARP
configuration on a router or also where redundancy say protocols such as
VRRP are being used.

Regards, Martin

MartinVisser99 () gmail com


On Fri, Jun 25, 2010 at 7:10 AM, Josue Del Valle <jodelvalle () braishfield com
> wrote:

>  Hi,
>
>
>
> I hope someone can help me out with this.  I am running Wireshark from two
> different computers and getting the same results.  Basically I am getting
> the following:
>
> ARP/RARP Duplicate IP address configured (192.168.10.222)
>
> ARP/RARP Duplicate IP address configured (192.168.10.220)
>
> ARP/RARP Duplicate IP address configured (192.168.10.208)
>
>
>
> This is an example:
>
> 154,"16:58:24.071822","Dell_55:3b:5b","Dell_42:b5:3a","ARP","Who has
> 192.168.10.40?  Tell 192.168.10.222 (duplicate use of 192.168.10.200
> detected!)"
>
>
>
>
>
> These addresses are statically assigned and I don’t see how they could be
> duplicated.  I read that this could be an ARP attack but I’m not sure what
> to look for.
>
> How can I know whether it is an ARP attack and trace the computer that’s
> causing the problem.
>
>
>
>
>
>
>
>
>
> Regards,
>
>
>
> JD <jodelvalle () braishfield com>
>
> **
>
> *Coverage cannot be assumed to be bound, altered or canceled without
> confirmation from an authorized representative of Braishfield Associates,
> Inc. *
>
> *
>  *
>
> *DISCLAIMER:*
>
> CONFIDENTIALITY NOTICE: Braishfield Associates, Inc. would like you to know
> that the information contained in this communication, including attachments
> is privileged and confidential. It is intended only for the exclusive use of
> the addressee. If the reader of this message is not the intended recipient,
> or the employee or agent responsible for delivering it to the intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. Insurance coverage can
> not be bound, amended or changed via an e-mail message without knowledge or
> consent from the insuring carrier. If you have received this communication
> in error please notify us by telephone immediately at (407) 825-9911 or
> e-mail disclaimer () braishfield com. Thank you.
>  <#1296bcfc3109b0d9_>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe