[prev in list] [next in list] [prev in thread] [next in thread]
List: wireshark-users
Subject: Re: [Wireshark-users] Duplicate IPs
From: "Josue Del Valle" <jodelvalle () braishfield ! com>
Date: 2010-06-28 12:56:22
Message-ID: 65D9A9F334ED8A48B9E6108528349EC70C34F7C6 () hercules ! braishfield ! local
[Download RAW message or body]
--===============0653645950539916347==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;boundary="----_=_NextPart_001_01CB16C1.624A496F"
This is a multi-part message in MIME format.
[Attachment #2 (text/plain)]
Hi Martin,
It seems like the duplicate ips messages I'm getting are due to having teamed NICs on \
the servers.
Thanks for your help.
Regards,
Josue Del Valle <mailto:jodelvalle@braishfield.com>
From: Martin Visser [mailto:martinvisser99@gmail.com]
Sent: Sunday, June 27, 2010 12:24 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Duplicate IPs
If you have duplicate IPs being detected from ARP requests or responses it will \
because the same IP addresses is seen having two MAC addresses. Once you isolate the \
two MAC addresses using this IP address, you will want to look at your switch \
forwarding database (sometime known as MAC address table or CAM table depending on \
the vendor). For instance on Cisco switches "show mac-address-table" will show you \
what interfaces the MAC addresses appear on. While your Core switches might show a \
lot of this on say trunks going to your edge switches, by repeating this process on \
the connected edge switch you will eventually find the interfaces that directly \
connect to the offending devices.
Just remember that this could also be due to a misconfigured proxy ARP configuration \
on a router or also where redundancy say protocols such as VRRP are being used.
Regards, Martin
MartinVisser99@gmail.com
On Fri, Jun 25, 2010 at 7:10 AM, Josue Del Valle <jodelvalle@braishfield.com> wrote:
Hi,
I hope someone can help me out with this. I am running Wireshark from two different \
computers and getting the same results. Basically I am getting the following:
ARP/RARP Duplicate IP address configured (192.168.10.222)
ARP/RARP Duplicate IP address configured (192.168.10.220)
ARP/RARP Duplicate IP address configured (192.168.10.208)
This is an example:
154,"16:58:24.071822","Dell_55:3b:5b","Dell_42:b5:3a","ARP","Who has 192.168.10.40? \
Tell 192.168.10.222 (duplicate use of 192.168.10.200 detected!)"
These addresses are statically assigned and I don't see how they could be duplicated. \
I read that this could be an ARP attack but I'm not sure what to look for.
How can I know whether it is an ARP attack and trace the computer that's causing the \
problem.
Regards,
JD <mailto:jodelvalle@braishfield.com>
Coverage cannot be assumed to be bound, altered or canceled without confirmation from \
an authorized representative of Braishfield Associates, Inc.
DISCLAIMER:
CONFIDENTIALITY NOTICE: Braishfield Associates, Inc. would like you to know that the \
information contained in this communication, including attachments is privileged and \
confidential. It is intended only for the exclusive use of the addressee. If the \
reader of this message is not the intended recipient, or the employee or agent \
responsible for delivering it to the intended recipient, you are hereby notified that \
any dissemination, distribution or copying of this communication is strictly \
prohibited. Insurance coverage can not be bound, amended or changed via an e-mail \
message without knowledge or consent from the insuring carrier. If you have received \
this communication in error please notify us by telephone immediately at (407) \
825-9911 or e-mail disclaimer@braishfield.com. Thank you.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
Coverage cannot be assumed to be bound, altered or canceled without confirmation from \
an authorized representative of Braishfield Associates, Inc.
DISCLAIMER:
CONFIDENTIALITY NOTICE: Braishfield Associates, Inc. would like you to know that the \
information contained in this communication, including attachments is privileged and \
confidential. It is intended only for the exclusive use of the addressee. If the \
reader of this message is not the intended recipient, or the employee or agent \
responsible for delivering it to the intended recipient, you are hereby notified that \
any dissemination, distribution or copying of this communication is strictly \
prohibited. Insurance coverage can not be bound, amended or changed via an e-mail \
message without knowledge or consent from the insuring carrier. If you have received \
this communication in error please notify us by telephone immediately at (407) \
825-9911 or e-mail disclaimer@braishfield.com. Thank you.
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=utf-8">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=WordSection1>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Hi Martin,<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'> <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>It seems like the duplicate ips messages I’m getting are due to
having teamed NICs on the servers.<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'>Thanks for your help. <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial","sans-serif";
color:blue'>Regards,</span><span style='font-family:"Arial","sans-serif";
color:#1F497D'><o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'> <o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial","sans-serif";
color:blue'><a href="mailto:jodelvalle@braishfield.com"><span style='font-size:
12.0pt;color:#1F497D;text-decoration:none'>Josue Del Valle</span></a></span><span
style='font-family:"Arial","sans-serif";color:#1F497D'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";
color:#1F497D'><o:p> </o:p></span></p>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'>
<p class=MsoNormal><b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span \
style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Martin Visser \
[mailto:martinvisser99@gmail.com] <br> <b>Sent:</b> Sunday, June 27, 2010 12:24 \
AM<br> <b>To:</b> Community support list for Wireshark<br>
<b>Subject:</b> Re: [Wireshark-users] Duplicate IPs<o:p></o:p></span></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>If you have duplicate IPs being detected from ARP requests
or responses it will because the same IP addresses is seen having two MAC
addresses. Once you isolate the two MAC addresses using this IP address, you
will want to look at your switch forwarding database (sometime known as MAC
address table or CAM table depending on the vendor). For instance on Cisco
switches "show mac-address-table" will show you what interfaces the
MAC addresses appear on. While your Core switches might show a lot of this on
say trunks going to your edge switches, by repeating this process on the
connected edge switch you will eventually find the interfaces that directly
connect to the offending devices.<o:p></o:p></p>
<div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
<div>
<p class=MsoNormal>Just remember that this could also be due to a misconfigured
proxy ARP configuration on a router or also where redundancy say protocols such
as VRRP are being used. <o:p></o:p></p>
</div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><br>
Regards, Martin<br>
<br>
<a href="mailto:MartinVisser99@gmail.com">MartinVisser99@gmail.com</a><br>
<br>
<o:p></o:p></p>
<div>
<p class=MsoNormal>On Fri, Jun 25, 2010 at 7:10 AM, Josue Del Valle <<a
href="mailto:jodelvalle@braishfield.com">jodelvalle@braishfield.com</a>>
wrote:<o:p></o:p></p>
<div>
<div>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Hi,<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>I
hope someone can help me out with this. I am running Wireshark from two
different computers and getting the same results. Basically I am getting
the following:<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>ARP/RARP
Duplicate IP address configured (192.168.10.222)<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>ARP/RARP
Duplicate IP address configured (192.168.10.220)<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>ARP/RARP
Duplicate IP address configured (192.168.10.208)<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>This
is an example:<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:black'>154,"16:58:24.071822","Dell_55:3b:5b","Dell_42:b5:3a","ARP","Who
has 192.168.10.40? Tell 192.168.10.222 (duplicate use of 192.168.10.200
detected!)"</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>These
addresses are statically assigned and I don’t see how they could be
duplicated. I read that this could be an ARP attack but I’m not sure what
to look for.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>How
can I know whether it is an ARP attack and trace the computer that’s causing
the problem.<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>
<o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:blue'>Regards,</span><o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> <o:p></o:p></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span
style='color:blue'><a href="mailto:jodelvalle@braishfield.com"><span
style='color:windowtext;text-decoration:none'>JD</span></a></span><o:p></o:p></p>
</div>
<p> <o:p></o:p></p>
<p><em><span style='font-family:"Arial","sans-serif"'>Coverage cannot be
assumed to be bound, altered or canceled without confirmation from an
authorized representative of Braishfield Associates, Inc. </span></em><o:p></o:p></p>
<p><i><span style='font-family:"Arial","sans-serif"'><br>
<em><span style='font-family:"Arial","sans-serif"'> </span></em></span></i><o:p></o:p></p>
<p><strong><span style='font-family:"Arial","sans-serif"'>DISCLAIMER:</span></strong><o:p></o:p></p>
<p><span style='font-family:"Arial","sans-serif"'>CONFIDENTIALITY NOTICE:
Braishfield Associates, Inc. would like you to know that the information
contained in this communication, including attachments is privileged and
confidential. It is intended only for the exclusive use of the addressee. If
the reader of this message is not the intended recipient, or the employee or
agent responsible for delivering it to the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this communication
is strictly prohibited. Insurance coverage can not be bound, amended or changed
via an e-mail message without knowledge or consent from the insuring carrier.
If you have received this communication in error please notify us by telephone
immediately at (407) 825-9911 or e-mail <a
href="mailto:disclaimer@braishfield.com">disclaimer@braishfield.com</a>. Thank
you.</span><o:p></o:p></p>
</div>
<p class=MsoNormal><br>
___________________________________________________________________________<br>
Sent via: Wireshark-users mailing list <<a
href="mailto:wireshark-users@wireshark.org">wireshark-users@wireshark.org</a>><br>
Archives: <a \
href="http://www.wireshark.org/lists/wireshark-users">http://www.wireshark.org/lists/wireshark-users</a><br>
Unsubscribe: <a href="https://wireshark.org/mailman/options/wireshark-users">https://wireshark.org/mailman/options/wireshark-users</a><br>
mailto:<a
href="mailto:wireshark-users-request@wireshark.org">wireshark-users-request@wireshark.org</a>?subject=unsubscribe<o:p></o:p></p>
</div>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</div>
<P><FONT face=Arial><EM></EM></FONT> </P>
<P><FONT face=Arial><EM>Coverage cannot be assumed to be bound, altered or canceled \
without confirmation from an authorized representative of Braishfield Associates, \
Inc. </EM></FONT></P> <P><FONT face=Arial><EM><BR> </P></EM></FONT>
<P><FONT face=Arial><STRONG>DISCLAIMER:</STRONG></FONT></P>
<P><FONT face=Arial>CONFIDENTIALITY NOTICE: Braishfield Associates, Inc. would like \
you to know that the information contained in this communication, including \
attachments is privileged and confidential. It is intended only for the exclusive use \
of the addressee. If the reader of this message is not the intended recipient, or the \
employee or agent responsible for delivering it to the intended recipient, you are \
hereby notified that any dissemination, distribution or copying of this communication \
is strictly prohibited. Insurance coverage can not be bound, amended or changed via \
an e-mail message without knowledge or consent from the insuring carrier. If you have \
received this communication in error please notify us by telephone immediately at \
(407) 825-9911 or e-mail <A \
href="mailto:disclaimer@braishfield.com">disclaimer@braishfield.com</A></FONT><FONT \
face=Arial>. Thank you.<BR></P></FONT><A title="gfidisc.braishfield.com" href="#"> \
</A></body>
</html>
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
--===============0653645950539916347==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic