• News
  • How to determine if there is an IP conflict? Just capture a packet

How to determine if there is an IP conflict? Just capture a packet 

Today I will share the basic knowledge of Layer 2 loops.

The harm of IP conflict
The following topology:

This is a very typical scenario. Whether you are working on the network, weak current or operation and maintenance, you will definitely know that there are two types of IP conflicts:

There is an IP conflict between the device and the gateway in the network: the impact is extremely harmful and will cause all terminals to be unable to access the Internet normally.
The IP conflicts between the devices and terminals in the network: the conflicting devices have abnormal networks.
The principle of network abnormalities caused by IP conflicts




Gateway IP conflict:

All Internet terminals will learn the wrong ARP gateway table entry. For example, in the above topology, the gateway ARP entries of all intranet devices may be learned as PC3, so the Internet data packets will be handed over to PC3, resulting in Internet abnormality.

Terminal IP conflict:

When other terminals access a certain IP, they will learn the ARP table entry of unexpected devices (such as accessing PC1 but the actual ARP table learns PC2), resulting in access target errors;
Similarly, the egress gateway will also learn the wrong ARP table entry of the conflicting device. The packet originally intended for PC1 is mistakenly given to PC2, resulting in Internet abnormality of the legitimate terminal device
How to confirm the existence of IP conflict
Because ARP inquiries and free ARP are broadcast packets, you can just find a switch port in the same LAN network to plug in the PC and open the packet capture tool Wireshark to capture the packet:




For example, after a simple five-minute capture, filter "ARP", you can see the description of "Duplicate IP address configured (X.X.X.X)", which means "X.X.X.X IP address detected conflict", which is directly parsed by Wireshark:

Then compare the source MAC, and you can find out which terminals have the same IP address:

Other methods
Packet capture analysis is a way to analyze data packets from the source, which is not complicated at all. Huawei/H3C/Ruijie and other equipment commands are also summarized and displayed for you by obtaining data packets, but in many scenarios you may be in an embarrassing situation such as device support or no operation permission. It is better to rely on yourself than on the device.

There are also some small tools such as ARP scanning, which often require multiple scans and record the corresponding situations of MAC and IP to find them completely. I personally think it is quite troublesome