There's already an application out there that runs as a daemon that
keeps an eye on the ARP table of the machine it runs on. It emails the
admin on any of a set of conditions: MAC changed for an IP, MAC has
multiple IPs, IP is doing a flip-flop between two MAC addresses (which
is almost -certainly- a duplicate IP issue).
It's called 'arpwatch' -- you can look for it on freshmeat.net.
-Mat Butler
-----Original Message-----
From: ethereal-users-admin@xxxxxxxxxxxx
[mailto:ethereal-users-admin@xxxxxxxxxxxx] On Behalf Of Jeff Parker
Sent: Friday, October 19, 2001 6:58 AM
To: 'McNutt, Justin M.'; ethereal-users@xxxxxxxxxxxx
Subject: RE: [Ethereal-users] Duplicate IP Addresses!
> If it's not yours, run Ethereal, clear your ARP cache, and
> then ping the address. Before you ping, your machine will
> ARP. Check for duplicate ARP replies.
Excellent advice if you know the address that has been
compromised. The question of detecting that someone
might be using some (unknown) IP address is an interesting
one.
I would gladly put up with an application that has some
false positives when you change you NIC card if it
1) Caught all duplicates used within a configurable
window (this should allow you to reuse via DHCP)
2) Only told me once about each event
This isn't rocket science, but would make a nice application.
Perhaps one of the academics running a networking class
could use this as an assignment and post the best solution?
- jeff parker
- axiowave networks
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users