Duplicate IP Address Scanning

Duplicate IP addresses sometimes occur on an IPv4 network subnet if a device is added that already has a static IP address assigned to it. Operating systems like Windows can detect this, but this detection normally happens when the OS is starting up. If a duplicate occurs, ARP reply packets return to a sender (who send ARP discovery) from two sources, both with the same IP but with different MAC addresses. We have a tool in NetScanTools Pro that can scan your whole subnet and look for duplicate IP responses. It will show the MAC address, Interface Manufacturer and Hostname of the duplicate devices.

Here is an example of what happens when a duplicate is found:

Demonstration Video:



This tool is quick and easy to use, you simply enter the IP address range, select the WinPcap compatible interface that is found in the IP address range and start it. If you have a large range like a 10.x.x.x, it may take a long time to complete and I would suggest breaking the range up into ranges where you know devices exist.

To learn more about the Duplicate IP Address Scanner tool and to download a demo with this tool fully active, please visit this page NetScanTools.com

How to use ARP Ping to Detect Duplicate IP Addresses

Update January 2014: there is a dedicated Duplicate IP Address Scanning Tool in NetScanTools Pro.

I've mentioned before how due to past problems with online games sites I have my son use a Linux distribution called Knoppix 6.0.1 that runs from a CD inside a Microsoft Virtual PC 2007 virtual machine. Well due to a problem with a DHCP server, I found that Knoppix was taking the same IP address as an HP Laser Printer. I had been having trouble with the printer on the weekend - it decided on it's own to change it's fixed IP address.

So I decided to use the situation as a real world demonstration of how to find a duplicate IP address. This can be done from NetScanTools Pro using the ARP Ping Tool. Since I had my suspicions about the printer, I used the printer IP. The video shows the results quite clearly.

http://www.netscantools.com/videos/duplicateipdetect/duplicateipdetect.html

In NetScanTools Pro v11 we will be introducing a tool to scan the whole subnet for duplicate IPs, not just one at a time.

New Freeware Tool and other ramblings

It's Friday. Finally. It's been a difficult couple of weeks watching the market news and Congress try to bailout Wall Street and fix the credit crisis. Funny, but they never talk about bailing out small businesses...

I saw the BLS summary of the unemployment report for September and I can directly attest to things I saw in it: every time we send out a newsletter announcement or a new program version announcement we see new bounces. Some of those may be due changes in server level email filtering, but I think more and more of them are people who have lost their jobs. In fact some of them are long time users of our software which is even more disturbing.

Speaking of the newsletter, we are sending it out once a month. Usually during the third week of the month. If you are on our list (or you think you are on it), please whitelist email from netscantools.com both on your workstation or laptop AND on your email server. We know that the word "netscantools" sometimes triggers spam filters, so please whitelist us if you want email from us. In case you missed one, the newsletter archive here.

Back to reality.

On October 1, I released a little tool as freeware that I originally made a couple years ago. This tool takes as input an IPv4 address of a device on your local subnet, then when you press the Get MAC Address button, it uses ARP to get the MAC address of the device. If the device is on and it can communicate over the network, it must respond. It must respond even if it is protected by a firewall like Windows Firewall. So it can't hide. Since ARP packets are not routed, you cannot use it to get the MAC address of some computer halfway around the world. The tool does this one IP at a time and it only works on your local subnet. If you need to scan a whole subnet with ARP to find every active device, we have that in NetScanTools Pro.

The freeware tool is called IPtoMAC and it runs on Windows Vista/2003/XP/2000 (it is codesigned for your protection) and you can download it here. It was also my first serious use of the new Visual Studio 2008 VC++ compiler. More on the new compiler in another post.

ARP Ping

Here is a topic ripped from our September 2008 newletter.

The most popular search term bringing people to our website is ARP Ping. What does ARP Ping do?

If you have the purchased or even the demo version of NetScanTools Pro, you can access the tool by selecting Tools/ARP Ping. Once there, you can see that it has three options or modes. The first two are for sending an ARP Ping and the third is for searching for duplicate IP addresses. Let’s concentrate on ARP Ping first and learn what ARP Ping does and does not do.

ARP request packets are fairly simple in construction. In Ethernet networks, ARP is used to obtain the MAC address of the target given the target IP address. Our ARP packets contain the required target IP address. The broadcast MAC address is placed in the target MAC field. The Interface IP and MAC address are used in the packet to identify to the target device the sender of the ARP packet. When the target device with the IP address identified in the ARP request packet sees the ARP request packet, it fills in the target interface MAC address and sends an ARP reply packet back to the sender. The target IP is a requirement because the receiver will not reply unless it sees its own IP address in the packet. In our implementation, the act of sending an ARP request and receiving a reply is known as an ARP Ping and the timing of the packets gives us the Response Time. The timing is similar to what you would see with a command line PING, ie. packet round-trip-time milliseconds.

What about the broadcast and unicast options? The broadcast option means all ARP request packets we send are to the broadcast MAC address. The unicast option means the first packet uses the broadcast MAC address and all subsequent packets use the discovered MAC address of the target.

Can you input a target MAC address with the IP address blank in order to find the target’s IP address? No, because the ARP protocol does not work that way. If you were to send such a packet, it will not be responded to by any device because the IP address in the packet does not match the IP address of any receiving device.

Can you use this tool to get the MAC address of a device NOT on the same subnet as the computer running NetScanTools Pro? No, because none of the devices on the subnet will not recognize the target IP address and they will not respond. EXCEPT if the router that accepts packets destined for locations outside the subnet is set up to do proxy ARP. If so, it will see that the target IP is not within the subnet and respond to you with the MAC address of the router interface on your side of the subnet.

For more information on how ARP works, see RFC 826.

How to use the ARP Ping tool to search for duplicate IP addresses. A variation on ARP is to use it to detect duplicate IP addresses by the method outlined in RFC 5227. To do this you first select Search for Duplicate IP Addresses, then you select the source IP address to place in the ARP request packet (0.0.0.0 is preferred in the RFC, but we also provide an option for placing the Interface IP in there instead), then you enter the target IP address and press Send ARP. The target IP address is the one you want to find duplicates for. All devices using that IP address will respond to your request along with their MAC address and they will be shown in the results grid.

That's a taste of some of the tips and explanations you will be seeing in this blog. It might bore you if you haven't got the faintest idea what I'm talking about...but enough people have wanted to know about ARP Ping for us to talk about it in more detail.

By the way, did you know I own four miniature herefords?