IP address conflict – Source device identification

IP ( Internet Protocol ) Address conflict occurs when two different devices in local network are using the same IP address, It can happen due to the mistakes from engineers or rogue DHCP server. However once the IP conflict happened in a critical devices we want to find out the device in few minutes. In large networks it is difficult to find out the source of the device with same IP address. Here I am explaining some methods to find out the source of IP conflict device

Error :  “ip address conflict with another system on the network”

Even if it is not 100 % solution this may help you to find some identification parameters of the source device.

 

 

1, Disable the network of original device

The first thing I recommend is to disable the network of the Original device. It will help us to avoid some confusion about the original device and the new device. And do other testing from a third person’s PC.

 

2, Ping the IP address and Find out the TTL Value

ping

This will give you an idea about the OS/Device. For Eg, If you are getting reply with ttl 128 It may be a Windows PC. And if it is 64 it may be a Linux OS (Or Linux based Box)

See the list of “Default Time To Live (TTL) values

(Some devices/software firewall disable the ICMP, That case don’t think it is down. Try Port scans)

 

 

3, Find the manufacturer from MAC address.

mac address

You can find the MAC address of the device with any scanning tools like NMAP. See above figure. you can find the source mac address from windows event viewer also. Check the event viewer of the infected system ( Windows )

IP conflict MAC address

Mac Address is a unique address for all the network device. we can Identify the manufacturer for the device from the MAC address. The first three set (6 digits) known as OUI (Organizationally Unique Identifier)

Eg MAC address 00-00-0C-11-22-33

In this MAC address First three set is “00-00-0C” and it is from CISCO SYSTEMS

Here is the list of OUI with manufactures list

http://standards.ieee.org/regauth/oui/oui.txt

http://anonsvn.wireshark.org/wireshark/trunk/manuf

http://www.coffer.com/mac_find/

 

 

 

 

4, Scan for opened Ports

 

By scanning the opened ports, you can identify the services running in that BOX.

See above image, SSH, HTTP and HTTPS are opened there

 

5, Open IP address in browser if Port 80 is opened (http://192.168.0.1)

Most devices like Wi-Fi routers, Network printers, firewalls, storages there will be a web based interface. This will give you additional information about the box.

 

6, Search for shared folders

You will get some important folder names If it is a file server or a desktop with file sharing enabled.

You can identify the windows username if you are getting the access to \\ipaddress\c$\Documents and Settings

 

7, Find hostname from IP address

Use “Ping -a” to resolve the hostname. Hostnames can give a better identification

 

8, Find Switch port from MAC address table

show mac table cisco

Login to your switch and search for the Mac address of the device. From there you can find which port is physically connected to that device.

This will give an idea about the physical location.

Command: #Show MAC address-table

Use syntax “i” (Include) for filter the specific MAC address

About Albin Sebastian

I am a Technology Blogger, System Administrator by profession and webmaster by passion. Technology blogger, Active in Online and offline tech communities.

Check Also

Nslookup correct reply

NSlookup incorrectly appending domain name in windows 10

Noticed this problem in Windows 7 and windows 10 systems after adding the system to …

Comments

  2. Love this post! Thanks for this. I’ll be sure to come back again. I’ve bookmark your site as well.

  3. i have an issue. i have a static IP address that was assigned to windows server 2008. this server was then shutdown and and reinstalled with windows 2003 version. all partition was formatted before reinstalled.
    when i tried to use back the IP, it mention that it’s already use in the network.
    i have also remove the information from the DNS and try again but failed.
    i tried to ping the IP and was timeout.
    how could I fine release IP address which is now seems to be invisible?

  4. Hi @steven
    This can be happen due to following
    If the same computer configured a new adapter without properly removing the hardware (Network cards / Motherboard), the configuration will remain.
    Or
    There may be a device with same IP in the network. (You won’t get the ping reply if ICMP blocked in the device, you can check them with a port scanner)
    Also Clear the ARP table of the LAN switch.
    If the problem is not rectified, find the packets using a packet analyzer like Ethereal
    While you assign an IP address the windows server, It send an ARP broadcast to check whether the IP address is using in the network. You can see the reply source (MAC also) Find out the Device with MAC address

© all rights reserved