This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Finding duplicate IP addresses

0

The link https://www.safaribooksonline.com/library/view/packet-analysis-with/9781785887819/ch07s04.html states that you can use the arp.duplicate-address-frame Wireshark filter to display duplicate IP information frames. It goes on to say that you open the ARP_Duplicate_IP.pcap file and apply the arp.duplicate-address-frame filter. After installing Wireshark I do not see any pcap files on the installed PC and do not see any arp.duplicate filters. What am I missing? Also, if there is another way to find duplicate IP addresses, please provide step-by-step directions. I'm new to Wireshark.

asked 31 Jan '17, 07:22

Willie%20T's gravatar image

Willie T
6112
accept rate: 0%


One Answer:

0

This is a snapshot of part of the book, which (assumed) also provides the referenced capture files. These do not come with a Wireshark installation.

The arp.duplicate-address-frame display filter can indeed be used to filter ARP packets which cause this field to be generated. It can be found in this list.

answered 31 Jan '17, 08:03

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

I had seen that web page and the line with arp.duplicate-address-frame. However, in Wireshark I could not figure out how to reference arp.duplicatate-address-frame as a filter. When I click on the drop down for the capture filters, the only ones that I see related to arp are "No ARP: not arp" and "No ARP and no DNS:not arp and !(udp.port == 53)". I did install WinPcap. Guess I must be missing something.

(31 Jan '17, 10:46) Willie T