Wireshark mailing list archives
Re: Duplicate use of IP detected
From: Soju Master <sojumaster () gmail com>
Date: Sun, 6 Jun 2010 12:55:06 -0400
I do have a few systems in my network that have teaming NICs, I will have to check it when I get to work tomorrow. I am suspecting that it might be teaming NIC's based on the very simular NIC addys: Duplicate IP address detected for 10.0.1.181 (00:22:19:80:72:79) - also in use by 00:22:19:80:72:7b (frame 4515) Duplicate IP address detected for 10.0.1.180 (00:22:19:80:75:35) - also in use by 00:22:19:80:75:37 (frame 4566) Another thing that I did notice though, when I first ran the scan at work, I had about 200 or so frames, in the live scan, complaining about the duplicate use of an IP. When I saved the scan and looked at it at home, only two frames had the error message. Is this normal for Wireshark? Thanks On Sun, Jun 6, 2010 at 9:22 AM, Ian Schorr <ian.schorr () gmail com> wrote:
If you can see two MAC addresses claiming to be the same IP address (and therefore dupe IP situation), you can follow the CAM/MAC tables in your switch to specifically locate the ports the two systems are connected to. If you suspect a duplicate IP address situation, filter on "ip.addr==<IP address>". See if it's immediately obvious that there are two systems sharing the same IP. If not, filter one out by adding " && !eth.addr==<mac address of the system that you can see in the trace". You may want to add an "&& arp" as well. If there's truly another MAC claiming to be that IP address, you should see it here, and be able to track down the ports of the two MACs. If the MAC addresses are very similar (i.e. first 5 bytes are the same, or otherwise differ by a value of 1 or so) then there's a good chance that you're dealing with a teaming NIC. -Ian On Sun, Jun 6, 2010 at 1:48 AM, Jaap Keuter <jaap.keuter () xs4all nl> wrote: > Hi,Teamed network interfaces, maybe? Thanks, Jaap On Sat, 5 Jun 2010 10:13:40 -0400, Soju Master <sojumaster () gmail com>wrote:I was running a scan and started to notice these summaries: AsustekC_ad:e3:e7 Dell_80:75:35 ARP 10.0.1.35 is at 00:1a:92:ad:e3:e7 (duplicate use of 10.0.1.180 detected!) Dell_9d:29:af Dell_80:72:79 ARP 10.0.1.230 is at 00:23:ae:9d:29:af (duplicate use of 10.0.1.181 detected!) I have done the obligatory research to see if there is a duplicate IP onthenetwork and could not find any. Anyone know what this message means? Thanks> ___________________________________________________________________________Sent via: Wireshark-users mailing list <wireshark-users () wireshark org Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org ?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Duplicate use of IP detected Soju Master (Jun 05)
- Re: Duplicate use of IP detected Jaap Keuter (Jun 05)
- Re: Duplicate use of IP detected Martin Visser (Jun 05)
- Re: Duplicate use of IP detected Ian Schorr (Jun 06)
- Re: Duplicate use of IP detected Soju Master (Jun 06)
- Re: Duplicate use of IP detected Martin Visser (Jun 06)
- Re: Duplicate use of IP detected Soju Master (Jun 07)
- Re: Duplicate use of IP detected Jaap Keuter (Jun 05)