Ask Your Question
0

Multiple Duplicate IPs Found

asked 2023-10-17 11:09:34 +0000

Kotze101 gravatar image

updated 2023-10-17 11:16:48 +0000

Greetings all,

According to the Expert Information there is a ton of duplicate IPs on my network but I am unable to actually locate them. I have even gone as far as excluding the conflicting IPs from the DHCP range but they seem to be ever changing and none of them are static. I am also not having reports of duplicate IP notifications popping up on any of our computers.

Any advise would be greatly appreciated.

image description

edit retag flag offensive close merge delete

Comments

Are you running a current version of Wireshark?
Can you update the question with the output of wireshark -v or Help->About Wireshark:Wireshark.

Chuckc gravatar imageChuckc ( 2023-10-18 11:57:52 +0000 )edit

I am currently running Version 4.0.8 (v4.0.8-0-g81696bb74857).

Kotze101 gravatar imageKotze101 ( 2023-10-18 12:01:14 +0000 )edit

Thanks. There had been work in the Duplicate IP checks in earlier versions.

Can you share a packet capture that demonstrates the issue?

Chuckc gravatar imageChuckc ( 2023-10-18 12:27:37 +0000 )edit

Please see if you can download this file as I'm currently not allowed to upload attachments.

link text

Kotze101 gravatar imageKotze101 ( 2023-10-18 12:35:19 +0000 )edit

404 - File or directory not found.

Chuckc gravatar imageChuckc ( 2023-10-18 12:45:32 +0000 )edit

2 Answers

Sort by » oldest newest most voted
0

answered 2023-10-18 13:56:18 +0000

Chuckc gravatar image

updated 2023-10-18 13:59:07 +0000

If you load the latest development release Development Release: 4.2.0rc1, filters for columns are available now:
_ws.col.info contains "10.0.4.107"
(10513: epan: Register columns fields and make them filterable (dynamic version))

Or you can load a lua plugin filtcols and filter on filtcols.info contains "10.0.4.107".

image description

There is no captured response to frame 47 so Wireshark has an incomplete (or out of date) picture of the network.

edit flag offensive delete link more

Comments

Thank you for the above, I have updated to the latest development release now.

I still don't quite understand why all the IPs that are being identified as duplicates are from within our DHCP scope though because like I mentioned our lease time is set for 24 hours so a device shouldnt be getting a different IP address within such a short capture period.

Kotze101 gravatar imageKotze101 ( 2023-10-19 12:53:33 +0000 )edit

Are the duplicate IPs consistent? Does 10.0.4.107 still show as a duplicate?
If so, can you look at the arp cache on 10.0.7.230 to see if it has an entry for 10.0.4.107?

Chuckc gravatar imageChuckc ( 2023-10-19 13:15:01 +0000 )edit

No it changes as time goes by. I did a capture about 15mins ago and it shows roughly 10 other IPs as being duplicate.

https://www.vrcmc.co.za/dup_ip2.png

Kotze101 gravatar imageKotze101 ( 2023-10-19 13:23:34 +0000 )edit

Sender MAC address: Dell_46:b9:5c (90:b1:1c:46:b9:5c)
The first entry (frame 4222) is for a MAC and source address that had issues in the previous capture.

Can you make a capture on 10.0.7.230 to see where it's arp data is coming from?

Chuckc gravatar imageChuckc ( 2023-10-19 13:33:46 +0000 )edit

Unfortunately not, 10.0.7.230 is a linux server which I dont have access to. I did however now notice that 90:b1:1c:46:b9:5c is also linked to 10.0.0.21 so I've asked the server guys to advise if it's the same physical device or not.

Kotze101 gravatar imageKotze101 ( 2023-10-19 14:18:52 +0000 )edit
0

answered 2023-10-17 13:14:53 +0000

SYN-bit gravatar image

Let's take the first entry, some system is sending an ARP request for 10.0.6.101, claiming to be 10.0.3.25. As Wireshark has already seen another system claiming to be 10.0.3.25, it reports it as a duplicate use of this IP address as it now sees two mac-addresses that claim to be 10.0.3.25.

This could be benign if the capture is over a long period of time and the IP address was released and now re-used by another system. Or it could be some network configuration that triggers this (like a proxy-arp setup where the capture was done on both sides of the router).

Or it could be malicious if someone is trying to impersonate other systems.

You could filter for arp.src.proto_ipv4==10.0.3.25 to find out which systems in this pcap file are sending out ARPs claiming to be 10.0.3.25. Then look at the source mac-addresses and go from there...

edit flag offensive delete link more

Comments

The capture was done over a short 10min period so that rules out the DHCP lease being assigned to a different device as our lease period is currently set on 24 hours. We also don't have a proxy-arp configured as we only have a single 10.0.0.0/21 network range in our environment.

When I filter for arp.src.proto_ipv4==IP it only shows me one source MAC address for the specific IP address though.

Kotze101 gravatar imageKotze101 ( 2023-10-18 07:33:23 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-10-17 11:09:34 +0000

Seen: 598 times

Last updated: Oct 18 '23