Ask Your Question

Multiple Duplicate IPs Found

asked 2023-10-17 11:09:34 +0000

Kotze101 gravatar image

updated 2023-10-17 11:16:48 +0000

Greetings all,

According to the Expert Information there is a ton of duplicate IPs on my network but I am unable to actually locate them. I have even gone as far as excluding the conflicting IPs from the DHCP range but they seem to be ever changing and none of them are static. I am also not having reports of duplicate IP notifications popping up on any of our computers.

Any advise would be greatly appreciated.

image description

edit retag flag offensive close merge delete


Are you running a current version of Wireshark?
Can you update the question with the output of wireshark -v or Help->About Wireshark:Wireshark.

Chuckc gravatar imageChuckc ( 2023-10-18 11:57:52 +0000 )edit

I am currently running Version 4.0.8 (v4.0.8-0-g81696bb74857).

Kotze101 gravatar imageKotze101 ( 2023-10-18 12:01:14 +0000 )edit

Thanks. There had been work in the Duplicate IP checks in earlier versions.

Can you share a packet capture that demonstrates the issue?

Chuckc gravatar imageChuckc ( 2023-10-18 12:27:37 +0000 )edit

Please see if you can download this file as I'm currently not allowed to upload attachments.

link text

Kotze101 gravatar imageKotze101 ( 2023-10-18 12:35:19 +0000 )edit

404 - File or directory not found.

Chuckc gravatar imageChuckc ( 2023-10-18 12:45:32 +0000 )edit

2 Answers

Sort by » oldest newest most voted

answered 2023-10-18 13:56:18 +0000

Chuckc gravatar image

updated 2023-10-18 13:59:07 +0000

If you load the latest development release Development Release: 4.2.0rc1, filters for columns are available now: contains ""
(10513: epan: Register columns fields and make them filterable (dynamic version))

Or you can load a lua plugin filtcols and filter on contains "".

image description

There is no captured response to frame 47 so Wireshark has an incomplete (or out of date) picture of the network.

edit flag offensive delete link more


Thank you for the above, I have updated to the latest development release now.

I still don't quite understand why all the IPs that are being identified as duplicates are from within our DHCP scope though because like I mentioned our lease time is set for 24 hours so a device shouldnt be getting a different IP address within such a short capture period.

Kotze101 gravatar imageKotze101 ( 2023-10-19 12:53:33 +0000 )edit

Are the duplicate IPs consistent? Does still show as a duplicate?
If so, can you look at the arp cache on to see if it has an entry for

Chuckc gravatar imageChuckc ( 2023-10-19 13:15:01 +0000 )edit

No it changes as time goes by. I did a capture about 15mins ago and it shows roughly 10 other IPs as being duplicate.

Kotze101 gravatar imageKotze101 ( 2023-10-19 13:23:34 +0000 )edit

Sender MAC address: Dell_46:b9:5c (90:b1:1c:46:b9:5c)
The first entry (frame 4222) is for a MAC and source address that had issues in the previous capture.

Can you make a capture on to see where it's arp data is coming from?

Chuckc gravatar imageChuckc ( 2023-10-19 13:33:46 +0000 )edit

Unfortunately not, is a linux server which I dont have access to. I did however now notice that 90:b1:1c:46:b9:5c is also linked to so I've asked the server guys to advise if it's the same physical device or not.

Kotze101 gravatar imageKotze101 ( 2023-10-19 14:18:52 +0000 )edit

answered 2023-10-17 13:14:53 +0000

SYN-bit gravatar image

Let's take the first entry, some system is sending an ARP request for, claiming to be As Wireshark has already seen another system claiming to be, it reports it as a duplicate use of this IP address as it now sees two mac-addresses that claim to be

This could be benign if the capture is over a long period of time and the IP address was released and now re-used by another system. Or it could be some network configuration that triggers this (like a proxy-arp setup where the capture was done on both sides of the router).

Or it could be malicious if someone is trying to impersonate other systems.

You could filter for arp.src.proto_ipv4== to find out which systems in this pcap file are sending out ARPs claiming to be Then look at the source mac-addresses and go from there...

edit flag offensive delete link more


The capture was done over a short 10min period so that rules out the DHCP lease being assigned to a different device as our lease period is currently set on 24 hours. We also don't have a proxy-arp configured as we only have a single network range in our environment.

When I filter for arp.src.proto_ipv4==IP it only shows me one source MAC address for the specific IP address though.

Kotze101 gravatar imageKotze101 ( 2023-10-18 07:33:23 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2023-10-17 11:09:34 +0000

Seen: 394 times

Last updated: Oct 18 '23