[SOLVED] Find Duplicate IP Address with Wireshark

All devices, such as a laptop, desktop, printer, cell phone or tablet connected to a network have its own unique IP address. It is very important that an IP address has to be assigned to only one station in the network. Otherwise, an IP conflict arises when two devices on the same network have the same IP address.

 

How Duplicate IP Happens?

An IP conflict can happen for a variety of reasons. However, most of IP conflict happens due to configuration mistakes. Imagine you bought a printer and introduced it to the network in the office. Since it was a network printer, you thought it was a good idea to assign a static IP address to it so that your colleagues can also use it. Otherwise, it would be difficult to use the printer if its IP address was assigned dynamically by the DHCP server in a couple of days. The idea of assigning a static IP address sounds good but it has a caveat. Not all DHCP servers check if an IP address is already in use before assigning it to a station. There are chances that the statically configured printer IP address can be assigned to another station. As I mentioned in this article (https://www.golinuxcloud.com/detect-rogue-dhcp-server-wireshark/), the station or the server may check if the IP address is already in use and prevent the conflict. Following screenshot is from a Windows operation system detecting an IP address conflict. As it is seen, it doesn’t show any information regarding the other station, which uses the duplicate IP address.

 

 

So How does Windows operating system detect there is an IP address conflict? The answer is simple. It uses Address Resolution Protocol (ARP) to check if there is another client uses the same IP address.

 

What is ARP? And How does the operating system use it to detect duplicate IP address?

ARP is a network protocol used to find out the hardware (MAC) address of a device from an IP address. It simply maps an IP address to a MAC address. After receiving an IP address from a DHCP server or being assigned an IP address statically, the station starts the procedure of detecting duplicate IP address with an ARP request packet. Before diving deep, we need to thoroughly understand how ARP works.

The process of mapping an IP address to a MAC address using ARP is below.

 

Step-1: As it is seen in the below screenshot, the station prepares an ARP request packet, which includes following information:

• Sender MAC: This field contains the station’s (senders) MAC address.
• Sender IP Address: This field contains the station’s (senders) IP address.
• Target MAC Address: The goal of the request is to obtain target MAC address. The sender leaves this field empty and expects the target to fill it.
• Target IP Address: The station (sender) inserts the target IP address here.

 

 

The station broadcasts this packet and expects the target to reply back.

Step-2: The target replies the station with filling the information below:

• Sender MAC: This time the target becomes the sender and adds its MAC address here.
• Sender IP Address: The target inserts its own IP address here.
• Target MAC Address: The station’s MAC address is inserted here.
• Target IP Address: The station’s IP address is inserted here.

 

With the reply packet, the station maps the IP address (192.168.1.1) to the MAC address (ca:01:42:f8:00:00). We can check the mapping in the ARP cache (table) with “arp -a” command on both Windows and Linux operating system.

 

The station on the network can use the same logic to discover duplicate IP addresses. Following steps shows how the station discovers duplicate IP address.

Step-1: After receiving the IP address (192.168.20.1) from the DHCP server, the station needs to make sure if this IP address is already in use. The station uses an ARP Probe, which is an ARP request constructed with an all-zero sender IP address.

 

Step-2: A host with the same IP address replies back, which is the proof that the IP address is currently used by another host. After receiving this packet, the station notices there is an IP conflict and sends a DHCP DECLINE packet to the DHCP server, refusing the offered IP address.

 

 

Find Duplicate IP Address with Wireshark

There are times when we need to make sure there is no even a single duplicate IP address in our network. We can achieve this goal with Wireshark and its display filter. We can start packet capturing for a while then apply some specific filter to see if there is any conflict. This method takes some time because we need to wait and collect all the ARP packets. However, we can accelerate this process with manually triggering ARP request for all the IP addresses in the subnet with a simple script. The script basically pings all hosts on the network. Before sending ping (ICMP) packets, the station needs to map IP addresses to MAC addresses, so it sends ARP requests to get the MAC addresses for the IP addresses. We will run the script and collect all the ARP packets with Wireshark like below.

 

In Windows:

We will use the syntax below for the script:

FOR /L %%parameter IN (start, step, end) DO command

• start : The first number
• step : The amount by which to increment the sequence
• end : The last number
• command : The command to carry out, including any parameters.
• %%parameter : A replaceable parameter.

 

The script basically starts pinging from 192.168.1.1 to 192.168.1.255.

for /l %i in (1,1,255) do ping -n 1 192.168.1.%i

Before running the script, we need to delete the ARP cache with the command below. If we do not delete the cache, the station will not make requests for the entry in the ARP cache.

 

After running the script, we will have all the ARP requests and replies with Wireshark like below.

 

So How do we find which IP addresses are duplicated? It is pretty easy, just follow the steps below.

Step-1: We will apply “arp.duplicate-address-detected” as display filter to find which IP addresses are duplicated. The packet below shows which IP address (192.168.1.5) is duplicated and its frame number as well.

 

Step-2: To see all hosts using 192.168.1.5, we apply "arp.src.proto_ipv4 == 192.168.1.5" display filter. The result is below.

 

In Linux:

The same result can be achieved with the script below.

#! /bin/bash

for ip in $(seq 1 255); do
   ping -c 1 192.168.1.$ip
done 

 

Final Thoughts

During an IP conflict, connectivity suffers and even sometimes there would not be any connectivity because packets are not consistently delivered to the correct device. When we suspect a duplicate IP address, Wireshark has a good display filter to identify the problem.

 

References

https://www.ietf.org/rfc/rfc5227.txt
https://study-ccna.com/arp/
https://ss64.com/nt/for_l.html

 

Related Keywords: Find duplicate ip address, how to detect duplicate ip address with arping, detecting duplicate ip addresses using arp, linux detect duplicate ip address wireshark