Home / ubuntu / Questions / 54580
Accepted
karthick87
Asked: 2011-07-27 06:49:56 +0800 CST

How to identify and rectify IP address conflicts in Ubuntu?

  • 772

We have more than 500 machines running Ubuntu. I have noticed that many machines have IP address conflicts. Is it possible to identify IP address conflicts in Ubuntu?

  • See the output here.
  • What does it mean actually? I get same MAC address for all the IP addresses?
ip-address

3 Answers

  1. Best Answer

    You can find them with arp-scan:

    sudo apt-get install arp-scan

    sudo arp-scan -I eth0 -l will show IP addresses, MAC address and manufacturer of the NIC and the line in the output that is a duplicate also identifies itself with a (DUP: 2) (where 2 is the second time this IP address is found for eth0.

    Some possible options to make the search more specific:

    • Specify a list of IP addresses as arguments: sudo arp-scan -I eth0 192.168.1.1 192.168.1.2 192.168.1.3
    • Specify network/bits: sudo arp-scan -I eth0 192.168.1.0/24
    • Specify network:netmask: sudo arp-scan -I eth0 192.168.1.0:255.255.255.0
    • Specify address range: sudo arp-scan -I eth0 192.168.1.3-192.168.1.27
    • Read a list of IP addresses from a file: sudo arp-scan -I eth0 --file=ip-address-list.txt
    • sudo arp-fingerprint -o "--interface=eth0 --numeric" 192.168.1.111 displays the IP address, the binary fingerprint string, and a list of known systems that match this fingerprint: 192.168.1.111 01000100000 Linux 2.2, 2.4, 2.6

    You can add |grep {part.of.ip.address} to limit the output (do not use wildcards but regular expressions if you need more exotic combinations).

    • 30

  2. In addition to arp-scan, the daemon ipwatchd may be useful in some circumstances and is worth mentioning on this question for others coming here via search.

    IPwatchD is a simple daemon that analyses all incoming ARP packets in order to detect IP conflicts.

    It can be configured to run a user script when conflicts are detected too.

    arp-scan is able to detect conflict across an entire network. ipwatchd detects when the hosts's IP address is use elsewhere as well.

    As an aside, ARP is useful for this task as uses broadcast traffic which is sent to all hosts, whereas much other traffic is routed only to intended recipients (at the MAC level.)

    • 2

  3. Okay, this is quite far off the Ubuntu topic, but based on your paste I'd say you need to have a look at your network config. I know on the Cisco platform you can implement HSRP to have redundant layer 3 interfaces. Should one switch fail for a particular vlan the other will become the standin. Seeing the same mac for more than two IP addresses does look odd, but very well may be a symptom of your network's implementation and configuration--regardless of whether the config is correct or not. Just a red flag to me to see that many.

    The vendor portion of the mac points right at Cisco Systems so those IP addresses are likely infrastructure and not Ubuntu boxes

     00-00-0C   (hex)        CISCO SYSTEMS, INC.
 00000C     (base 16)    CISCO SYSTEMS, INC.
                         170 WEST TASMAN DRIVE
                         SAN JOSE CA 95134-1706
                         UNITED STATES

    Have you considered that static IPs are being used inside a DHCP scope without reservations or broken up range statements in dhcpd? Hope that helps.

    • 0