 | 1 | initial version |
Let's take the first entry, some system is sending an ARP request for 10.0.6.101, claiming to be 10.0.3.25. As Wireshark has already seen another system claiming to be 10.0.3.25, it reports it as a duplicate use of this IP address as it now sees two mac-addresses that claim to be 10.0.3.25.
This could be benign if the capture is over a long period of time and the IP address was released and now re-used by another system. Or it could be some network configuration that triggers this (like a proxy-arp setup where the capture was done on both sides of the router).
Or it could be malicious if someone is trying to impersonate other systems.
You could filter for arp.src.proto_ipv4==10.0.3.25 to find out which systems in this pcap file are sending out ARPs claiming to be 10.0.3.25. Then look at the source mac-addresses and go from there...
