Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: Re: [Wireshark-users] Duplicate IPs

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Hansang Bae <for_list_hbae@xxxxxxxxxx>
Date: Sat, 03 Jul 2010 14:16:13 -0400
On 6/24/2010 5:10 PM, Josue Del Valle wrote:

Hi,

 

I hope someone can help me out with this.  I am running Wireshark from two different computers and getting the same results.  Basically I am getting the following:

ARP/RARP Duplicate IP address configured (192.168.10.222)

ARP/RARP Duplicate IP address configured (192.168.10.220)

ARP/RARP Duplicate IP address configured (192.168.10.208)

 

This is an example:

154,"16:58:24.071822","Dell_55:3b:5b","Dell_42:b5:3a","ARP","Who has 192.168.10.40?  Tell 192.168.10.222 (duplicate use of 192.168.10.200 detected!)"

 

 

These addresses are statically assigned and I don’t see how they could be duplicated.  I read that this could be an ARP attack but I’m not sure what to look for.

How can I know whether it is an ARP attack and trace the computer that’s causing the problem.


Nice thing about troubleshooting arp issue is that the frames tell you what's going on.  For example, who thinks they have the mac/IP etc.  Some things that can cause this are
1) teamed nics that confuses the switch (misconfigured/nic driver issues)
2) NIC driver problems (broadcom on dell) that would hijack arp messages



Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube