Wireshark detects duplicate IPs in the ARP protocol. Use the arp.duplicate-address-frame Wireshark filter to display only duplicate IP information frames.
For example, open the ARP_Duplicate_IP.pcap file and apply the arp.duplicate-address-frame filter, as shown in the screenshot:
Wireshark is providing the following information in this case:
- Usually duplicate IP addresses are resolved by the DHCP server. It has to be taken seriously when it starts showing for every IP address in this case.
- All IPs have the same Sender MAC address:
fa:16:3e:bf:22:d0and shows as a duplicate of that IP address. - This could be ARP poisoning—a Man in Middle attack happening in the background.
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.