Ethereal-users: RE: [Ethereal-users] Duplicate IP Addresses!

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "McNutt, Justin M." <McNuttJ@xxxxxxxxxxxx>
Date: Fri, 19 Oct 2001 09:06:49 -0500
Read further into my note.  I discuss three possibilities, including the one
in which you don't have previous knowledge of the duplicate.

Ethereal could probably be easily adapted to this purpose, but it would need
to have a 'sliding window' capture buffer first, something that I consider a
serious loss in the existing implementation (it prevents Ethereal from being
used as any kind of monitor).

Of course, since I have neither the talent nor the time to fix this, I don't
gripe a lot about it.  :-)

--J

> -----Original Message-----
> From: Jeff Parker [mailto:jparker@xxxxxxxxxxxx]
> Sent: Friday, October 19, 2001 8:58 AM
> To: 'McNutt, Justin M.'; ethereal-users@xxxxxxxxxxxx
> Subject: RE: [Ethereal-users] Duplicate IP Addresses!
> 
> 
> > If it's not yours, run Ethereal, clear your ARP cache, and 
> > then ping the address.  Before you ping, your machine will 
> > ARP.  Check for duplicate ARP replies.
> 
> Excellent advice if you know the address that has been
> compromised.  The question of detecting that someone
> might be using some (unknown) IP address is an interesting
> one.
> 
> I would gladly put up with an application that has some
> false positives when you change you NIC card if it
> 
> 	1) Caught all duplicates used within a configurable
> 	   window (this should allow you to reuse via DHCP)
> 	2) Only told me once about each event
> 
> This isn't rocket science, but would make a nice application.
> Perhaps one of the academics running a networking class
> could use this as an assignment and post the best solution?
> 
> - jeff parker
> - axiowave networks
>