Wireshark-bugs: [Wireshark-bugs] [Bug 6195] New: Duplicate IP address detection in ARP frames in

Date: Tue, 2 Aug 2011 22:50:31 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6195

           Summary: Duplicate IP address detection in ARP frames
                    inconsistent and unreliable
           Product: Wireshark
           Version: 1.7.x (Experimental)
          Platform: x86
        OS/Version: Windows Vista
            Status: NEW
          Severity: Normal
          Priority: Medium
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: Jim@xxxxxxxxxxxxxxxxx


Created an attachment (id=6763)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=6763)
Trace file showing duplicate use of IP address in ARP frames

Build Information:
Version 1.7.0-SVN-38316 (SVN Rev 38316 from /trunk)

Copyright 1998-2011 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.22.1, with GLib 2.26.1, with WinPcap (version
unknown), with libz 1.2.5, without POSIX capabilities, with threads support,
without libpcre, with SMI 0.4.8, with c-ares 1.7.1, with Lua 5.1, without
Python, with GnuTLS 2.10.3, with Gcrypt 1.4.6, with MIT Kerberos, with GeoIP,
with PortAudio V19-devel (built Aug  2 2011), with AirPcap.

Running on 32-bit Windows Vista Service Pack 2, build 6002, with WinPcap
version
4.1.2 (packet.dll version 4.1.0.2001), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 2.10.3, Gcrypt 1.4.6, with AirPcap 4.1.1 build
1838.

Built using Microsoft Visual C++ 9.0 build 21022
--
The number of “Duplicate IP address configured” expert info messages shown
during live capture is significantly different from the number shown after the
capture is stopped, or when a saved trace file is loaded; and Wireshark does
not consistently identify duplicate IP address use.


TO RECREATE:

Load the trace file “Duplicate IP Address.cap” into Colasoft Packet Player or
similar utility and replay the trace file onto the network while capturing with
Wireshark. While the live capture is in progress, open the Expert Info dialog,
click on the Warnings tab, and watch the number of warnings. Eventually you
will see 182 occurrences of “Duplicate IP address configured (10.29.153.85)” as
shown in the screen shot titled “Duplicate IP Address – Live Capture.jpg.” You
must do this in real time while the packets are being replayed.

Once all 558 packets have been replayed and captured, stop the capture, close
the Expert Info dialog, and reopen it. Again go to the Warnings tab. Now you
will see only 26 occurrences of “Duplicate IP address configured
(10.29.153.85)” listed as shown in the screen shot titled “Duplicate IP Address
– Capture Stopped.jpg.”

Now expand the list of warnings, and go to the first packet listed, which is
number 528. You will see the message “Duplicate IP address detected for
10.29.153.85 (00:18:fe:89:fc:60) - also in use by 00:18:fe:89:fc:5f (frame
527).”

Frame 527 lists 10.29.153.85 as the Target IP Address and  00:18:fe:89:fc:5f as
the Target MAC Address. Frame 528 lists 10.29.153.85 as the Sender IP Address
and  00:18:fe:89:fc:60 as the Sender MAC Address. Both 00:18:fe:89:fc:5f and
00:18:fe:89:fc:60 are associated with 10.29.153.85, so this is in fact a
duplicate use of the same IP address.

Now look at frames 211 and 212. 211 is exactly the same as 527, and 212 is
exactly the same as 528, as shown in the screen shot “Four Packet
Comparison.jpg,” but Wireshark does not identify frame 212 as a duplicate use
of the IP address in frame 211.

The same behavior is seen on a Windows XP computer using Wireshark Portable.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.