ARP duplicate IP detection
Wireshark detects duplicate IPs in the ARP protocol. Use the arp.duplicate-address-frame
Wireshark filter to display only duplicate IP information frames.
For example, open the ARP_Duplicate_IP.pcap
file and apply the arp.duplicate-address-frame
filter, as shown in the screenshot:
Wireshark is providing the following information in this case:
Usually duplicate IP addresses are resolved by the DHCP server. It has to be taken seriously when it starts showing for every IP address in this case.
All IPs have the same Sender MAC address:
fa:16:3e:bf:22:d0
and shows as a duplicate of that IP address.This could be ARP poisoning—a Man in Middle attack happening in the background.