Greetings all,
According to the Expert Information there is a ton of duplicate IPs on my network but I am unable to actually locate them. I have even gone as far as excluding the conflicting IPs from the DHCP range but they seem to be ever changing and none of them are static. I am also not having reports of duplicate IP notifications popping up on any of our computers.
Any advise would be greatly appreciated.
If you load the latest development release Development Release: 4.2.0rc1, filters for columns are available now:
_ws.col.info contains "10.0.4.107"
(10513: epan: Register columns fields and make them filterable (dynamic version))
Or you can load a lua plugin filtcols and filter on filtcols.info contains "10.0.4.107".
There is no captured response to frame 47 so Wireshark has an incomplete (or out of date) picture of the network.
Thank you for the above, I have updated to the latest development release now.
I still don't quite understand why all the IPs that are being identified as duplicates are from within our DHCP scope though because like I mentioned our lease time is set for 24 hours so a device shouldnt be getting a different IP address within such a short capture period.
No it changes as time goes by. I did a capture about 15mins ago and it shows roughly 10 other IPs as being duplicate.
Let's take the first entry, some system is sending an ARP request for 10.0.6.101, claiming to be 10.0.3.25. As Wireshark has already seen another system claiming to be 10.0.3.25, it reports it as a duplicate use of this IP address as it now sees two mac-addresses that claim to be 10.0.3.25.
This could be benign if the capture is over a long period of time and the IP address was released and now re-used by another system. Or it could be some network configuration that triggers this (like a proxy-arp setup where the capture was done on both sides of the router).
Or it could be malicious if someone is trying to impersonate other systems.
You could filter for arp.src.proto_ipv4==10.0.3.25 to find out which systems in this pcap file are sending out ARPs claiming to be 10.0.3.25. Then look at the source mac-addresses and go from there...
The capture was done over a short 10min period so that rules out the DHCP lease being assigned to a different device as our lease period is currently set on 24 hours. We also don't have a proxy-arp configured as we only have a single 10.0.0.0/21 network range in our environment.
When I filter for arp.src.proto_ipv4==IP it only shows me one source MAC address for the specific IP address though.
Asked: 2023-10-17 11:09:34 +0000
Seen: 248 times
Last updated: Oct 18 '23
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
Are you running a current version of Wireshark?
Can you update the question with the output of
wireshark -vorHelp->About Wireshark:Wireshark.I am currently running Version 4.0.8 (v4.0.8-0-g81696bb74857).
Thanks. There had been work in the Duplicate IP checks in earlier versions.
Can you share a packet capture that demonstrates the issue?
Please see if you can download this file as I'm currently not allowed to upload attachments.
link text
404 - File or directory not found.