Wireshark and PowerCLI: How to identify duplicate IP addresses when your VMs don't run VMWare Tools

June 7th at 12:00am

Yesterday while I was at work I got an interesting email from our Network team: Apparently there were a couple of machines that shared the same IP Address on the network. We needed to isolate which machines were involved and remediate the problem.

Given that the vast bulk of our servers are virtual, I logged into vCenter and used the search bar to search for the IP address as it should show up if VMWare tools are installed. Nothing came up, so what next? Hmm...

References

PowerCLI: Search VM via IP or MAC Address [ict-freal.nl]
Lab Automation with PowerCLI Part 1 [7thzero.com]

The networking team had noticed the duplicate IP addresses while monitoring Wireshark. I was able to get them to send me the MAC Addresses of the machines involved. I noticed that both MAC addresses started with 00:50:56 which in our environment signifies a Virtual Machine.

I did a google search and found a PowerCLI script to locate a machine via MAC Address. For reference, here it is:

$tgtMAC = ""
$vms = Get-VM
foreach($vm in $vms){

  $vmMAC = $vm | Get-NetworkAdapter | select MacAddress
  foreach($mac in $vmMAC){
    if($mac.MacAddress -eq $tgtMAC) {
      Write-Host "Found the VM!"
      $vm.Name
    }
  }
}

After running the script twice (once for each MAC Address), I found something interesting: the duplicate IP traffic seen in Wireshark was coming from a single VM that had 2 NICs, each bound to the same IP Address. Problem isolated and solved, awesome.