Thursday 4 August 2016

Detecting duplicate IP's with Wireshark / Gratuitous ARP

More often than not the majority of mainline operating systems have some form of detection of duplicate IPs - whether it's Windows, Cisco IOS or Android - you are usually presented with some form of user friendly warning.

Although there are times where you might be working with other devices (such as embedded ones) that do not alert you - so instead we must sniff the traffic between the switch and the device itself.

A gratuitous ARP request / reply is an ARP message that (in most cases) is not needed. Although in the event of an IP conflict comes into play. For example a host on the network might send a gratuitous arp request to ensure that no other host(s) respond to it - this request will contain the origin host in it's source and destination address and the destination MAC will be FF:FF:FF:FF:FF:FF.

Typically the host making the request should hear nothing back - although in cases were another host is using that IP address they will send a gratuitous ARP reply to the broadcast address - a real world example can be seen below:


As discussed above many operating systems will send a gratuitous ARP request when a MAC address or IP of a NIC is changed to ensure that there are no conflicts on the network.

0 comments:

Post a Comment