Re: Duplicate use of IP detected

[Soju Master <sojumaster () gmail com>]

I do have a few systems in my network that have teaming NICs, I will have to
check it when I get to work tomorrow.

I am suspecting that it might be teaming NIC's based on the very simular NIC
addys:

Duplicate IP address detected for 10.0.1.181 (00:22:19:80:72:79) - also in
use by 00:22:19:80:72:7b (frame 4515)
Duplicate IP address detected for 10.0.1.180 (00:22:19:80:75:35) - also in
use by 00:22:19:80:75:37 (frame 4566)

Another thing that I did notice though, when I first ran the scan at work, I
had about 200 or so frames, in the live scan, complaining about the
duplicate use of an IP.
When I saved the scan and looked at it at home, only two frames had the
error message.  Is this normal for Wireshark?

Thanks



On Sun, Jun 6, 2010 at 9:22 AM, Ian Schorr <ian.schorr () gmail com> wrote:

> If you can see two MAC addresses claiming to be the same IP address
> (and therefore dupe IP situation), you can follow the CAM/MAC tables
> in your switch to specifically locate the ports the two systems are
> connected to.
>
> If you suspect a duplicate IP address situation, filter on
> "ip.addr==<IP address>".  See if it's immediately obvious that there
> are two systems sharing the same IP.  If not, filter one out by adding
> " && !eth.addr==<mac address of the system that you can see in the
> trace".  You may want to add an "&& arp" as well.  If there's truly
> another MAC claiming to be that IP address, you should see it here,
> and be able to track down the ports of the two MACs.
>
> If the MAC addresses are very similar (i.e. first 5 bytes are the
> same, or otherwise differ by a value of 1 or so) then there's a good
> chance that you're dealing with a teaming NIC.
>
> -Ian
>
> On Sun, Jun 6, 2010 at 1:48 AM, Jaap Keuter <jaap.keuter () xs4all nl> wrote:
>  > Hi,
> > Teamed network interfaces, maybe?
> >
> > Thanks,
> > Jaap
> >
> > On Sat, 5 Jun 2010 10:13:40 -0400, Soju Master <sojumaster () gmail com>
> wrote:
> > I was running a scan and started to notice these summaries:
> >
> > AsustekC_ad:e3:e7     Dell_80:75:35     ARP     10.0.1.35 is at
> > 00:1a:92:ad:e3:e7 (duplicate use of 10.0.1.180 detected!)
> > Dell_9d:29:af     Dell_80:72:79      ARP      10.0.1.230 is at
> > 00:23:ae:9d:29:af (duplicate use of 10.0.1.181 detected!)
> >
> > I have done the obligatory research to see if there is a duplicate IP on
> the
> > network and could not find any.
> >
> > Anyone know what this message means?
> >
> > Thanks
>  >
> ___________________________________________________________________________
> > Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org
> >
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
> >
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe