Wireshark-users: Re: [Wireshark-users] Gratuitous and duplicate differences
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Thu, 15 Sep 2016 13:58:12 -0400


On Tue, Sep 13, 2016 at 7:06 PM, Bayu Notonegoro <kotakmilis@xxxxxxxxx> wrote:
Hi All,
Greetings.
In wireshark, we can display filter both for arp.isgratuitous and arp.duplicate-address-detected. What is the different between both?
Arp gratuitous is something to detect the duplicate IP. But when i see the duplicate-address-detected, i got confused. From what I see is that both filter give different output.
So what are the differences?

A gratuitous ARP is an ARP requests that are basically the machine saying "I'm here with this address."  Such ARPs have the source and destination IP addresses set to the same value (the address of the sender).  Gratuitous ARPs are a general concept--not something specific to Wireshark.

If Wireshark flags an ARP as duplicate-address-detected then that means Wireshark has seen 2 or more hosts saying they have the same IP address (or, more specifically, 2 or more MAC addresses advertising the same IP address) - obviously that's (usually) a bad thing.