This is our old Q&A Site. Please post any new questions and answers at

Hi All,

I am not too familiar with understanding wireshark logs, but have tried to diagnose a recent network connectivity issue that is crippling our speeds.

I have been reading up on issues around the large amount of duplicate IP and ARP transactions, with a lot of resources saying its related to an ARP Spoofing attack. Would someone with a bit more experience on the matter be able to let me know if thats the case?

Here is the dump:

I really appreciate the support, thanks!

asked 05 Aug '15, 18:23

danr's gravatar image

accept rate: 0%

It looks indeed a little bit strange. There is a suspicious system in your trace, at least from my point of view.

The IP is with the Mac 00:04:23:e1:2F:77 It sends always a an direct ARP Answer to all the devices and it als o sends constantly DHCP ACKs. This makes the system supsicious. There is another MAC the 00:04.23:e1:2f:76 with the IP Address

If I were you, I would investigate this behaviour. But maybe it is just a new art of ARP and teaming implementation?

permanent link

answered 05 Aug '15, 21:47

Christian_R's gravatar image

accept rate: 16%

edited 05 Aug '15, 22:19

Thank you for your input Christian.

(05 Aug '15, 22:04) danr

But it has an FCS checksum of 0x0 so it be the system with the trace. Oh and I oversaw, that he is maybe the real DHCP server.

(05 Aug '15, 22:23) Christian_R

Correct, both MAC's are the adapters on the DHCP. Which I wasn't aware of at the time.

(06 Aug '15, 16:30) danr
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 05 Aug '15, 18:23

question was seen: 1,063 times

last updated: 06 Aug '15, 16:30

p​o​w​e​r​e​d by O​S​Q​A