Wireshark-users: Re: [Wireshark-users] Duplicate IPs
From: Martin Visser <martinvisser99@xxxxxxxxx>
Date: Sun, 27 Jun 2010 14:24:08 +1000
If you have duplicate IPs being detected from ARP requests or responses it will because the same IP addresses is seen having two MAC addresses. Once you isolate the two MAC addresses using this IP address, you will want to look at your switch forwarding database (sometime known as MAC address table or CAM table depending on the vendor). For instance on Cisco switches "show mac-address-table" will show you what interfaces the MAC addresses appear on. While your Core switches might show a lot of this on say trunks going to your edge switches, by repeating this process on the connected edge switch you will eventually find the interfaces that directly connect to the offending devices.

Just remember that this could also be due to a misconfigured proxy ARP configuration on a router or also where redundancy say protocols such as VRRP are being used. 

Regards, Martin

MartinVisser99@xxxxxxxxx


On Fri, Jun 25, 2010 at 7:10 AM, Josue Del Valle <jodelvalle@xxxxxxxxxxxxxxx> wrote:

Hi,

 

I hope someone can help me out with this.  I am running Wireshark from two different computers and getting the same results.  Basically I am getting the following:

ARP/RARP Duplicate IP address configured (192.168.10.222)

ARP/RARP Duplicate IP address configured (192.168.10.220)

ARP/RARP Duplicate IP address configured (192.168.10.208)

 

This is an example:

154,"16:58:24.071822","Dell_55:3b:5b","Dell_42:b5:3a","ARP","Who has 192.168.10.40?  Tell 192.168.10.222 (duplicate use of 192.168.10.200 detected!)"

 

 

These addresses are statically assigned and I don’t see how they could be duplicated.  I read that this could be an ARP attack but I’m not sure what to look for.

How can I know whether it is an ARP attack and trace the computer that’s causing the problem.

 

 

 

 

Regards,

 

JD

 

Coverage cannot be assumed to be bound, altered or canceled without confirmation from an authorized representative of Braishfield Associates, Inc.


 

DISCLAIMER:

CONFIDENTIALITY NOTICE: Braishfield Associates, Inc. would like you to know that the information contained in this communication, including attachments is privileged and confidential. It is intended only for the exclusive use of the addressee. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. Insurance coverage can not be bound, amended or changed via an e-mail message without knowledge or consent from the insuring carrier. If you have received this communication in error please notify us by telephone immediately at (407) 825-9911 or e-mail disclaimer@xxxxxxxxxxxxxxx. Thank you.


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe