Hi,
I want to see an expert item to report when wireshark can see that more than one endpoint is configured with the same IP address.
The approach this (not-fully-tested-yet) patch takes is to pick IP/MAC pairs out of ARP requests/reponses and maintain an IP->MAC hash table. Should this work -
i.e. would you expect wireshark to always see the ARP requests? Is there an obviously better way of doing this? My patch has a preference to do this detection turned off for now.
I'm not really worried about just missing ARP requests at the start of the capture, I'm thinking more about capturing for the duration of a test lasting longer than the ARP entry timeout of any of the hosts.
Thanks,
Martin
Attachment:
packet-arp.c.diff
Description: Binary data
