ARP duplicate IP detection
Wireshark detects duplicate IPs in the ARP protocol. Use the arp.duplicate-address-frame
Wireshark filter to display only duplicate IP information frames.
For example, open the ARP_Duplicate_IP.pcap
file and apply the arp.duplicate-address-frame
filter, as shown in the screenshot:
Wireshark is providing the following information in this case:
- Usually duplicate IP addresses are resolved by the DHCP server. It has to be taken seriously when it starts showing for every IP address in this case.
- All IPs have the same Sender MAC address:
fa:16:3e:bf:22:d0
and shows as a duplicate of that IP address. - This could be ARP poisoning—a ...
Get Packet Analysis with Wireshark now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.