Re: Duplicate IPs

["Josue Del Valle" <jodelvalle () braishfield com>]

Hi Martin,

 

It seems like the duplicate ips messages I’m getting are due to having teamed NICs on the servers.

 

Thanks for your help.   

 

Regards,

 

Josue Del Valle <mailto:jodelvalle () braishfield com> 

 

From: Martin Visser [mailto:martinvisser99 () gmail com] 
Sent: Sunday, June 27, 2010 12:24 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Duplicate IPs

 

If you have duplicate IPs being detected from ARP requests or responses it will because the same IP addresses is seen 
having two MAC addresses. Once you isolate the two MAC addresses using this IP address, you will want to look at your 
switch forwarding database (sometime known as MAC address table or CAM table depending on the vendor). For instance on 
Cisco switches "show mac-address-table" will show you what interfaces the MAC addresses appear on. While your Core 
switches might show a lot of this on say trunks going to your edge switches, by repeating this process on the connected 
edge switch you will eventually find the interfaces that directly connect to the offending devices.

 

Just remember that this could also be due to a misconfigured proxy ARP configuration on a router or also where 
redundancy say protocols such as VRRP are being used. 


Regards, Martin

MartinVisser99 () gmail com



On Fri, Jun 25, 2010 at 7:10 AM, Josue Del Valle <jodelvalle () braishfield com> wrote:

Hi,

 

I hope someone can help me out with this.  I am running Wireshark from two different computers and getting the same 
results.  Basically I am getting the following:

ARP/RARP Duplicate IP address configured (192.168.10.222)

ARP/RARP Duplicate IP address configured (192.168.10.220)

ARP/RARP Duplicate IP address configured (192.168.10.208)

 

This is an example:

154,"16:58:24.071822","Dell_55:3b:5b","Dell_42:b5:3a","ARP","Who has 192.168.10.40?  Tell 192.168.10.222 (duplicate use 
of 192.168.10.200 detected!)"

 

 

These addresses are statically assigned and I don’t see how they could be duplicated.  I read that this could be an ARP 
attack but I’m not sure what to look for.

How can I know whether it is an ARP attack and trace the computer that’s causing the problem.

 

 

  

 

Regards,

 

JD <mailto:jodelvalle () braishfield com> 

 

Coverage cannot be assumed to be bound, altered or canceled without confirmation from an authorized representative of 
Braishfield Associates, Inc. 


 

DISCLAIMER:

CONFIDENTIALITY NOTICE: Braishfield Associates, Inc. would like you to know that the information contained in this 
communication, including attachments is privileged and confidential. It is intended only for the exclusive use of the 
addressee. If the reader of this message is not the intended recipient, or the employee or agent responsible for 
delivering it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of 
this communication is strictly prohibited. Insurance coverage can not be bound, amended or changed via an e-mail 
message without knowledge or consent from the insuring carrier. If you have received this communication in error please 
notify us by telephone immediately at (407) 825-9911 or e-mail disclaimer () braishfield com. Thank you.


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request () wireshark org?subject=unsubscribe

 





Coverage cannot be assumed to be bound, altered or canceled without confirmation from an authorized representative of 
Braishfield Associates, Inc.


DISCLAIMER:

CONFIDENTIALITY NOTICE: Braishfield Associates, Inc. would like you to know that the information contained in this 
communication, including attachments is privileged and confidential. It is intended only for the exclusive use of the 
addressee. If the reader of this message is not the intended recipient, or the employee or agent responsible for 
delivering it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of 
this communication is strictly prohibited. Insurance coverage can not be bound, amended or changed via an e-mail 
message without knowledge or consent from the insuring carrier. If you have received this communication in error please 
notify us by telephone immediately at (407) 825-9911 or e-mail disclaimer () braishfield com. Thank you.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe