Wireshark mailing list archives

Re: Duplicate use of IP detected

From: Ian Schorr <ian.schorr () gmail com>
Date: Sun, 6 Jun 2010 23:22:52 +1000

If you can see two MAC addresses claiming to be the same IP address
(and therefore dupe IP situation), you can follow the CAM/MAC tables
in your switch to specifically locate the ports the two systems are
connected to.

If you suspect a duplicate IP address situation, filter on
"ip.addr==<IP address>".  See if it's immediately obvious that there
are two systems sharing the same IP.  If not, filter one out by adding
" && !eth.addr==<mac address of the system that you can see in the
trace".  You may want to add an "&& arp" as well.  If there's truly
another MAC claiming to be that IP address, you should see it here,
and be able to track down the ports of the two MACs.

If the MAC addresses are very similar (i.e. first 5 bytes are the
same, or otherwise differ by a value of 1 or so) then there's a good
chance that you're dealing with a teaming NIC.

-Ian

On Sun, Jun 6, 2010 at 1:48 AM, Jaap Keuter <jaap.keuter () xs4all nl> wrote:

Hi,

Teamed network interfaces, maybe?

Thanks,
Jaap

On Sat, 5 Jun 2010 10:13:40 -0400, Soju Master <sojumaster () gmail com> wrote:

I was running a scan and started to notice these summaries:

AsustekC_ad:e3:e7     Dell_80:75:35     ARP     10.0.1.35 is at
00:1a:92:ad:e3:e7 (duplicate use of 10.0.1.180 detected!)
Dell_9d:29:af     Dell_80:72:79      ARP      10.0.1.230 is at
00:23:ae:9d:29:af (duplicate use of 10.0.1.181 detected!)

I have done the obligatory research to see if there is a duplicate IP on the
network and could not find any.

Anyone know what this message means?

Thanks



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Duplicate use of IP detected Soju Master (Jun 05)
- Re: Duplicate use of IP detected Jaap Keuter (Jun 05)
  - Re: Duplicate use of IP detected Martin Visser (Jun 05)
  - Re: Duplicate use of IP detected Ian Schorr (Jun 06)
    - Re: Duplicate use of IP detected Soju Master (Jun 06)
    - Re: Duplicate use of IP detected Martin Visser (Jun 06)
    - Re: Duplicate use of IP detected Soju Master (Jun 07)