Detecting IP address conflicts and resolving methods under Linux

Detecting IP address conflicts and resolving methods under Linux

Problem Description:
A Linux system (IP:192.168.9.120) was installed on a physical machine A in the company's office network, and a JENKINS,REDMINE,SVN program was deployed on it. Because it is inside the office network, this machine and colleague computer are all in the same network segment.
Suddenly one day the problem comes out: Some colleagues remote SSH login not on this Linux system machine, JENKINS/REDMINE/SVN also landing, other part of colleagues can be normal use.

Later discovered, because this Linux machine's IP is occupied by people,IP address conflict caused!!

Here's how to check if an IP address is conflicting:
---------------------------------------------------
The first method ( arping ):

You only need to execute the following command on Linux machine B (for example: 129.168.9.200) on another same network segment (you cannot verify your IP on the native arping):

You only need to execute the following command on Linux machine B (for example: 129.168.9.200) on another same network segment (you cannot verify your IP on the native arping):
[Email protected] ~]# arping 192.168.9.120
ARPING 192.168.1.120 from 192.168.9.200 eth0
Unicast reply from 192.168.9.120 [40:F4:EC:76:79:C2] 3.084ms
Unicast reply from 192.168.9.120 [50:7b:9d:25:29:59] 0.817ms
Unicast reply from 192.168.9.120 [50:7b:9d:25:29:59] 0.810ms

........

If only one MAC address is checked, it means that the ip:192.168.9.120 of a machine within the network is unique

If you have the above information to identify two MAC addresses, then the network has a MAC address of 40:F4:EC:76:79:C2 host IP address is the same as a machine.

We can use the LAN scanning software to find a host with a MAC address of 40:F4:EC:76:79:C2 and isolate or replace the IP address.
[[email protected] ~]# ifconfig
eth0 Link encap:ethernet hwaddr 50:7b:9d:25:29:59 
inet addr:192.168.9.120 bcast:192.168.9.255 mask:255.255.255.0
Inet6 addr:fe80::527b:9dff:fe25:2959/64 Scope:Link
Up broadcast RUNNING multicast mtu:1500 metric:1
RX packets:573710854 errors:0 dropped:0 overruns:0 frame:0
TX packets:849943293 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000 
RX bytes : 58543890628 (54.5 GiB) TX bytes:1248037935176 (1.1 TiB)

Lo Link encap:local Loopback
inet addr:127.0.0.1 mask:255.0.0.0
Inet6 addr::: 1/128 scope:host
Up LOOPBACK RUNNING mtu:16436 metric:1
RX packets:17370722 errors:0 dropped:0 overruns:0 frame:0
TX packets:17370722 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:65642509325 (61.1 Gib) TX bytes:65642509325 (61.1 Gib)

---------------------------------------------------------
Test principle:
The arping command sends the ARP packets at the broadcast address, and all hosts in the Ethernet receive this arppackets, but the machine does not reply any information after it is received.
When we execute the following command on the Linux host side:
Arping 192.168.9.120
Eth0 is used by default to send one to all hosts in the LAN:
who has 192.168.9.120 ARP Request,tell 192.168.9.120 yourmac address,

When this ARP packets is received by this Windows host side, it will answer:
"I am 192.168.9.120, Mac is 00:25:e4:6a:4b:f4", so we will receive reply information for the Windows host with MAC address 00:25:e4:6a:4b:f4.
---------------------------------------------------------

---------------------------------------------------------
The second method ( Arp-scan )

Arp-scan This tool sends ARP (address Resolutionprotocol) packets to collect addresses on the local network. If there are multiple MAC addresses claiming to have the same IP address, there is a conflict here.

First install the Arp-scan and enter:
[email protected] ~]# Yum install-y arp-scan
------------------------------------
If the error says there is no this package, you need to install the Epel software warehouse in advance
CENTOS5 64-bit:
rpm-ivhhttp://dl.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm

CENTOS6 64-bit:
rpm-ivhhttp://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

CENTOS6 64-bit:
Yum install-yhttp://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-8.noarch.rpm
------------------------------------

To detect an IP conflict, run the following command:

[[email protected] ~]# arp-scan-l
Interface:eth0, Datalink type:en10mb (Ethernet)
Starting Arp-scan 1.9.2 with the (http://www.nta-monitor.com/tools-resources/security-tools/arp-scan/)
192.168.9.1 00:25:b3:f9:16:3e Hewlett Packard
192.168.9.2 30:8d:99:ab:42:40 Hewlett Packard
192.168.9.4 24:26:42:a6:81:f9 Sharp Corporation.
192.168.9.7 f4:ce:46:3e:15:d6 Hewlett Packard
192.168.9.8 08:2e:5f:bd:0f:43 Hewlett Packard
192.168.9.9 00:21:5a:84:9d:0c Hewlett Packard
....... .....
....... .....
192.168.9.119 68:f7:28:d5:d4:26 LCFC (Hefei) Electronics Technology Co., Ltd
192.168.9.120  50:7b : 9d:25:29:59  LCFC (Hefei) Electronics Technology Co., Ltd.
192.168.9.120  40:f4:ec : 76:79:c2  VMware, Inc. (dup:2)
192.168.9.121 00:23:24:9b:09:89 g-pro computer
192.168.9.122 B8 : 88:e3:35:8e:74 COMPAL information (Kunshan) CO., Ltd.
..... .....
.........

Packets received by filter, 0 packets dropped by kernel
Ending Arp-scan 1.9.2:256 hosts scanned in 2.257 seconds (113.42 hosts/sec). responded

The above information indicates: 192.168.9.120 this IP conflict, because it appeared two times, and knew this IP was VMware the virtual machine is occupied.
need to find the use of this IP the machine, will it IP you can change it!

1) "arp-scan-l" command means to view the IP usage of all machines in the same LAN as the native
2) "arp-scan–i eth0-l" command means to view IP usage of eth0 NIC for all hosts in the same LAN as the native

--------------------------------------------------------
Windows Use this machine "Arp-a" command to see if there are any IP Conflict:

If two IP is detected, the IP conflict is indicated.

Detecting IP address conflicts and resolving methods under Linux