Wireshark mailing list archives
Re: Duplicate IPs
From: "Josue Del Valle" <jodelvalle () braishfield com>
Date: Mon, 28 Jun 2010 08:56:22 -0400
Hi Martin, It seems like the duplicate ips messages I’m getting are due to having teamed NICs on the servers. Thanks for your help. Regards, Josue Del Valle <mailto:jodelvalle () braishfield com> From: Martin Visser [mailto:martinvisser99 () gmail com] Sent: Sunday, June 27, 2010 12:24 AM To: Community support list for Wireshark Subject: Re: [Wireshark-users] Duplicate IPs If you have duplicate IPs being detected from ARP requests or responses it will because the same IP addresses is seen having two MAC addresses. Once you isolate the two MAC addresses using this IP address, you will want to look at your switch forwarding database (sometime known as MAC address table or CAM table depending on the vendor). For instance on Cisco switches "show mac-address-table" will show you what interfaces the MAC addresses appear on. While your Core switches might show a lot of this on say trunks going to your edge switches, by repeating this process on the connected edge switch you will eventually find the interfaces that directly connect to the offending devices. Just remember that this could also be due to a misconfigured proxy ARP configuration on a router or also where redundancy say protocols such as VRRP are being used. Regards, Martin MartinVisser99 () gmail com On Fri, Jun 25, 2010 at 7:10 AM, Josue Del Valle <jodelvalle () braishfield com> wrote: Hi, I hope someone can help me out with this. I am running Wireshark from two different computers and getting the same results. Basically I am getting the following: ARP/RARP Duplicate IP address configured (192.168.10.222) ARP/RARP Duplicate IP address configured (192.168.10.220) ARP/RARP Duplicate IP address configured (192.168.10.208) This is an example: 154,"16:58:24.071822","Dell_55:3b:5b","Dell_42:b5:3a","ARP","Who has 192.168.10.40? Tell 192.168.10.222 (duplicate use of 192.168.10.200 detected!)" These addresses are statically assigned and I don’t see how they could be duplicated. I read that this could be an ARP attack but I’m not sure what to look for. How can I know whether it is an ARP attack and trace the computer that’s causing the problem. Regards, JD <mailto:jodelvalle () braishfield com> Coverage cannot be assumed to be bound, altered or canceled without confirmation from an authorized representative of Braishfield Associates, Inc. DISCLAIMER: CONFIDENTIALITY NOTICE: Braishfield Associates, Inc. would like you to know that the information contained in this communication, including attachments is privileged and confidential. It is intended only for the exclusive use of the addressee. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. Insurance coverage can not be bound, amended or changed via an e-mail message without knowledge or consent from the insuring carrier. If you have received this communication in error please notify us by telephone immediately at (407) 825-9911 or e-mail disclaimer () braishfield com. Thank you. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe Coverage cannot be assumed to be bound, altered or canceled without confirmation from an authorized representative of Braishfield Associates, Inc. DISCLAIMER: CONFIDENTIALITY NOTICE: Braishfield Associates, Inc. would like you to know that the information contained in this communication, including attachments is privileged and confidential. It is intended only for the exclusive use of the addressee. If the reader of this message is not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. Insurance coverage can not be bound, amended or changed via an e-mail message without knowledge or consent from the insuring carrier. If you have received this communication in error please notify us by telephone immediately at (407) 825-9911 or e-mail disclaimer () braishfield com. Thank you.
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Duplicate IPs Josue Del Valle (Jun 24)
- Re: Duplicate IPs Martin Visser (Jun 26)
- Re: Duplicate IPs Josue Del Valle (Jun 28)
- Re: Duplicate IPs Martin Visser (Jun 26)