| Help identifying duplicated IP address Hi.
Is there a tool or trick to identify duplicated IPs on your network? I'm having an issue on a tower with a dupilcate IP address. I don't know what might be causing the problem, we're very careful assigning address to our equipments (clients and ours)...
I was able to isolate a tower where the problem is happening, I'm suspecting someone is hacking that tower and is assigning a duplicate ip. I only have 12 clients on that smaller tower with a bullet installed.
I can't access any equipment on the tower to check if something weird is going on.
Please help.
Thanks. |
|
SipSizzurpFo' ShizzlePremium
join:2005-12-28
Houston, TX
kudos:4 | For one of us to drive to your tower and replace the bullet would prolly not be cost effective. You should do it yourself.
--
I feel more like I do now than when I first got here. |
|
| Obviously I'm going to do it myself.
I'm asking for some guidance on how to discover the problem. I've tried different things and can't hit with the duplicated ip address.
Thanks for your input. |
|
| what have you tried? |
|
| I've tried using arp on Win XP and on Linux, tcpdump. I asked the clients on that tower to turn off their NS loco/ NS2 and did an ip trace and couldn't find anything at that time; that's why I'm suspecting an intrusion. |
|
LLigetfa
join:2006-05-15
Fort Frances, ON
kudos:1 | do you have a syslog server? Any router worth its salt should log duplicate IP or ARP moves. Alternately, you could use a program that tracks ARPs/MACs.
--
Strange as it seems, no amount of learning can cure stupidity, and formal education positively fortifies it. -- Stephen Vizinczey |
|
SipSizzurpFo' ShizzlePremium
join:2005-12-28
Houston, TX
kudos:4 | reply to landysaccoun
said by landysaccoun:I'm asking for some guidance on how to discover the problem. Dis-connect the bullet that you think is duplicated with another device.
Connect your laptop and ping that IP address. If you get responses then you have a duplicate IP and that rogue device's host name should be displayed with the ping results.
You may also find this utility helpful in the future when somebody guesses your password and changes your addresses ;
»www.angryip.org/w/Home
--
I feel more like I do now than when I first got here. |
|
| reply to landysaccoun
So you don't have a box where you can access the wireless equipment (AP/SM)?
What issues is this causing? If its a duplicate IP address it should only be effecting 1 customer and the "intruder" - which I doubt there is. If the intruder is smart enough to get onto your network they could probably figure out how to not use a duplicate address.
Is a problem with a public or private IP address? |
|
| reply to landysaccoun
The weird thing is that is causing problems to the whole network. I get a message saying there is a duplicate ip on the network. I change my laptop's ip to a different one and still get the same message.
There are also two nanobridge m5 doing the ptp connection. I think one of these ip is being used since when I get the message on the laptop I can't access or view (with ubnt discover too) any devices on the remote tower.
Right now everything is working fine but, I'm really puzzled. |
|
|
|
SipSizzurpFo' ShizzlePremium
join:2005-12-28
Houston, TX
kudos:4 | said by landysaccoun:There are also two nanobridge m5 doing the ptp connection. I think one of these ip is being used since when I get the message on the laptop I can't access or view (with ubnt discover too) any devices on the remote tower. If you change the IP on the tower that you can get to then that would solve any duplicate problem. Then you can ping the original address. Even if the rogue device is programmed not to answer pings, from a command window run ;
c: arp -a
That will show the MAC address of any device located at that address.
--
I feel more like I do now than when I first got here. |
|
| reply to landysaccoun
i just saw something like this on my network. Situation, 2 neighbours at the lake, both have ubnt routers which is the key here. #1's radio went down. What i did was, got into router 2, turned it into a client, bridged it to router 1, bridged router 1 which gave me access to the radio, got it up and running. Well what that caused was a network loop. I reversed everything but it took some time because of the loop and the problems they cause. One of the things i saw was the "IP conflict" you are talking about. It also took down the rest of the network.
Sounds like it could be similar? |
|
 superdogI Need A DrinkPremium,MVM
join:2001-07-13
Lebanon, PA | reply to landysaccoun
Another thing that happened to me one time was a UBNT device had "auto IP aliasing" turned on and when I went into the box to look at it, there was an IP in the box that was a duplicate of another IP on my network.
Just check all of your UBNT devices and see if any of them have the box checked?
--
»www.wavecrazy.net
|
|
Chele
join:2003-07-23
kudos:1 | reply to landysaccoun
Ladysaccoun
We had an identical situation to yours. It ended up being our router's NIC was acting up. We also had where customers' IPs were "blacklisted" and were denied internet access. This took weeks for us to find as the events were very sporadic. |
|
| reply to prairiesky
All our ubnt devices are in router mode with ip aliasing turned off. But, prairiesky's post sounds very similar to our problem.
I disabled a suspected client's device from associating to our ap and so far things are ok but, things were ok for a couple of days back and it starting acting up again yesterday... |
|
 TomS_Git-r-donePremium,MVM
join:2002-07-19
London, UK
kudos:4 | reply to landysaccoun
Where are you seeing the duplicate IP errors? On your PC?
Sounds similar to an issue we had. The broadband routers we used at customer premises was somehow bridging, despite being configured as a router.
Consequently, a lot of customers received pop ups on their PCs saying there was a duplicate IP on their network, and in the worst case you could see other custs computers on the network - all despite being behind "routers" and being in different locations, some connected to different towers.
Not sure if this issue was resolved, but I really dont think highly of that particular brand, and never really did. I was never able to reproduce it in a lab environment, it only ever happened in the wild which made it very difficult to troubleshoot. |
|
| reply to landysaccoun
If all of your radio's are in router mode, then this should happen at all. Where are you hooking up your laptop to? And if you are within a routed block or between two routers, that is where this problem lies on that subnet (or should)
The only other issue could be if you are using some kind of dynamic routing, and you have the same subnets assigned at multiple places. Dynamic routing will "go around" the routing and "see" those duplicate subnets causing ALL kids of goofy crap. Some routers will go around NAT also. It's a linux thing that shouldn't even happen, but it does.
Def get ride of that UBNT auto alias garbage, on EVERY RADIO. Discovery tool only works within a bridged network. So how is that working, or why try, if you have all the radio's in router mode to begin with??
--
»www.wirelessdatanet.net |
|
| The simplest way to find it is simply put a Windows 7 computer on the network. When the IP address conflict pops up, look under event viewer/system and the MAC address of the device will be there. |
|
 vipermCarpe DiemPremium
join:2002-07-09
Winchester, CA | reply to landysaccoun
What router do you have at the tower if it was a mikrotik it would be fairly easy to identify and figure out.. |
|
| reply to rconaway8
I guess I'll do that. |
|
| reply to viperm
I don't have a mikrotik on that tower as AP but, have mikrotik doing ptp to it (I not nanobridge m5 as I stated before). |
|
