Hi,
On a LAN, if I have one machine with an IP of 192.168.0.1, and then, with ifconfig, if I say ANOTHER machine on that LAN has an IP of 192.168.0.1, and then a third machine broadcasts a packet with that IP, will both these machines get it? If not, why not?
(I was thinking, it'd be really easy to start sniffing that way, right?)


Thanks.

If two machines on the same subnetwork use the same IP, there will be a conflict and probably neither of them will be able to use the network, or will be reachable by another machine.
Also, sniffing has nothing to do with what you describe; this is called spoofing. In order to sniff packets you must put your adapter in promiscuous mode.

One more thing. Ethernet doesn't work in IP level. It works with MAC addresses.

If you broadcast something, both machines with that IP Address will get it. But it won't help much. If you are on TCP level, the applications rely on established connections, and that will not really work if two machines want to establish a connection at the same time from the same IP Address. There is no way you can sniff anything useful that way - for sniffing you don't even need to have any IP Address, because it is performed on a higher layer. Being on a hub network is enough, you'll get each and every ethernet frame that way.

I might be wrong but if two are on a segment and have the same ip then either the lower of the mac gets locked in or the first in arp gets locked in. Might have to double check that.

Arp is used to map mac to ip so that is part of the issue. That is where I believe it gets locked in. Arp gets lost after some small amount of time so the head arp asker goes out and asks who has 192.168.0.1 and waits for replies. Then it decides which is which to use.

Here's a good tutorial on subnetting.

http://www.ralphb.net/IPSubnet/index.html

Don't be fooled by the HTML 3.0 look. It's one of the clearest descriptions of how tcp/ip works you will find. (I first stumbled on this on a dot-edu site; my guess is the author retired or moved to another job and put the pages up unchanged on his own domain.)

i'd recommend the linux documentation project, tldp.org. search for a network administrator's guide. am reading it myself presently.
tnx

Actually what happens is that the mac address will flip flop between the two ports on the switch effectively shredding any attempted upper layer sessions. A Cisco swich will report this as a mac address that has seen too many "moves".

Two devices can only "share" and IP address via a mediation mechanism like HSRP, VRRP, GLBP etc. Two simple hosts with the same config will not work properly, either of them.

You are in effect correct. You can use something called ARP spoofing to play man in the middle and can effectively sniff that traffic. Its not quite as simple as what you describe but in essence that what happens.