STCP has had duplicate IP address detection for quite some time but a change to how Microsoft Windows 2008 and 7 behave has added an interesting wrinkle.

First let’s review how it works.

Duplicate IP address detection relies on the address resolution protocol (ARP).

The packet_monitor tool shows an ARP packet in two lines as

11:13:43.123 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:13:d4:59:7a:da Type 0806 (ARP)
ARP Req Target 164.152.77.217 Src 164.152.77.34 [00:13:d4:59:7a:da]

Where

Rcvd Indicates that bytes were received. The other option is Xmit which indicates that bytes were transmitted
Ether Indicates an Ethernet frame header follows
Dst ff:ff:ff:ff:ff:ff The Ethernet destination; in this case the broadcast address
Src 00:13:d4:59:7a:da The Ethernet source address
Type 0806 (ARP) Indicates this is an ARP frame, type 0806
ARP Indicates an ARP frame header follows
Req Indicates this is a request (looking for MAC address) frame. The other option is Rep indicating a reply.
Target 164.152.77.217 The IP address of the target
Src 164.152.77.34 The IP address of the sending host
[00:13:d4:59:7a:da] The Ethernet address of the sending host

STCP looks at the Src field and if it matches the IP address of the interface it was received on then STCP reports a duplicate IP address in the syserr_log with a message formatted as

<time> WARNING (<index>): MAC address <MAC address> is using our IP address <IP address>

For example:

11:13:43 WARNING(5): MAC address 00:13:d4:59:7a:da is using our IP address 164.152.77.34

The “MAC” stands for Media Access Control and knowing the MAC address will give you some clues as to the identify of the offending host. The first 3 bytes of the address are called the Organizationally Unique Identifier (OUI) and can be used to determine something about the Ethernet card or the host that it is in. For example, Stratus has two registered OUIs, 00-00-A8 and 00-04-FC. You can look up any OUI at http://standards.ieee.org/develop/regauth/oui/public.html

Many hosts, including STCP, when they boot or when an IP interface is configured send what is known as a gratuitous ARP. This frame basically looks for its own IP address, if it gets a reply it knows that the IP address is in use. Here is an example of a packet_monitor trace showing the gratuitous ARP sent by another VOS module as it brings up one of its interfaces. Note that both the Target and Src fields have the same IP address.

10:19:53.045 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 00:00:a8:41:3b:6e Type 0806 (ARP)
ARP Req Target 164.152.77.34 Src 164.152.77.34 [00:00:a8:41:3b:6e]

OK, so what is this wrinkle I mentioned at the start of this post?

Beginning with Windows 2008 and Windows 7, the Microsoft TCP stack sends the gratuitous ARP with the the Src field set to 0.0.0.0.

10:45:10.530 Rcvd Ether Dst ff:ff:ff:ff:ff:ff Src 1c:c1:de:b4:76:60 Type 0806 (ARP)
ARP Req Target 164.152.77.34 Src 0.0.0.0 [1c:c1:de:b4:76:60]

The result is that STCP thinks that this is a “normal” query for its Ethernet address and responds with a normal reply

10:45:10.530 Xmit Ether Dst 1c:c1:de:b4:76:60 Src 00:00:a8:41:3b:6e Type 0806 (ARP)
ARP Rep Target 0.0.0.0 [1c:c1:de:b4:76:60] Src 164.152.77.34 [00:00:a8:41:3b:6e]

It does not record any indication of a duplicate IP address. The good news is that the Windows stack recognizes the duplication and will switch to a link local address of the form 169.254.X.Y.

Why did Microsoft make this change? It seems that many TCP stacks (including STCP) will update their ARP cache entry for the source IP address with the Ethernet address included in the ARP frame. If the IP address is a duplicate you end up breaking current connections to the duplicated IP address as the packets are redirected to the duplicating host. By changing the Src field to 0.0.0.0 Microsoft prevents the TCP stacks (including STCP) from updating their ARP cache entries.