2026-06-02

ARP Duplicate IP Address Conflict PCAP Analysis: Finding Gratuitous ARP, MAC Changes, and Gateway Confusion

How to diagnose duplicate IP address conflicts, ARP storms, gratuitous ARP, wrong MAC mappings, gateway confusion, and intermittent LAN failures in packet captures.

duplicate ip address, arp conflict, gratuitous arp, mac address change, lan troubleshooting, pcap analysis

Duplicate IP conflicts create intermittent failures that look random. A device works, then drops. The gateway MAC changes. A service is reachable from one host but not another. Users search for "ARP duplicate IP pcap", "gratuitous ARP conflict", "same IP two MAC addresses", "ARP cache wrong MAC", and "intermittent LAN packet capture" because normal application logs rarely expose layer-2 identity problems.

ARP maps IPv4 addresses to MAC addresses on a local network. If two devices claim the same IP, traffic can bounce between them or go to the wrong machine.

PCAP Surgery is useful because ARP evidence is usually small but buried in a larger capture. You need the ARP requests, replies, gratuitous ARP, MAC addresses, timestamps, and surrounding failures.

What a duplicate IP looks like

A classic sign is the same IP associated with different MAC addresses:

10.0.0.25 is-at aa:aa:aa:aa:aa:aa
10.0.0.25 is-at bb:bb:bb:bb:bb:bb

If both appear close together, there may be an IP conflict, failover event, virtual IP movement, spoofing, or misconfigured device.

Gratuitous ARP

Gratuitous ARP announces or defends an IP address without being directly asked. It is normal in failover systems, DHCP address checks, and device startup. It is suspicious when multiple devices repeatedly announce the same IP.

Look for:

  • Repeated gratuitous ARP for one IP.
  • Different MAC addresses claiming the same IP.
  • ARP announcements after device reboot.
  • Gateway IP claimed by unexpected MAC.
  • Failover pair behavior vs accidental conflict.

Gateway confusion

If the default gateway IP maps to the wrong MAC, many connections fail. Hosts may send traffic to a device that is not the router. This can happen because of misconfiguration, stale ARP, malicious spoofing, or a failover system behaving incorrectly.

Preserve ARP packets around the time when TCP connections begin failing.

Checklist

Use this workflow:

  1. Filter ARP traffic.
  2. Identify the IP with changing MAC mappings.
  3. Record every MAC claiming that IP.
  4. Check whether one is the expected gateway/server/device.
  5. Look for gratuitous ARP.
  6. Correlate MAC changes with TCP resets, retransmissions, or outages.
  7. Check DHCP logs for duplicate leases.
  8. Inspect switch MAC address table if available.
  9. Separate intentional HA failover from accidental conflict.
  10. Preserve timestamps and MAC addresses when sharing evidence.

Final diagnosis

ARP duplicate IP conflicts are local-network identity failures. The packet evidence is direct: which MAC claimed which IP, when it changed, and what failed afterward.

PCAP Surgery helps isolate that evidence so an intermittent LAN problem can be traced to ARP behavior instead of being misdiagnosed as DNS, TCP, or application instability.