Request for dhcp from strange address?
-
^ heheh exactly!!! So see if they plugged that interface into their isp device the wrong way.. Big Bang Zoom there you go a dod address space dhcp server on some ISP layer 2 network. Where all the users on that network could see the traffic.. Hopefully they don't get an IP from it ;) You would HOPE!!!! That the isp is running stuff to prevent unauthorized dhcp servers on the layer 2 between them and their customers. But you never know….
So what I would do is email your isp support, showing them dhcp traffic and the IP and asking if that is them... Or one of their other idiot users..
Whats the mac address coming from that 30 address? We can look it up and see what kind of hardware it is, or the maker of it..
-
Whats the mac address coming from that 30 address? We can look it up and see what kind of hardware it is, or the maker of it..
So I would need to have a packet trace running at the moment in time that the misconfigured device makes a request? Or is there another way that I am not thinking about?
-
ARP table, it's there exactly for the purpose of seeing the MAC addresses of network peers on the same network segment.
-
^^^^
An arp cache has a limited lifetime, so he'd have to check it within a short period of time. However, if he can ping that address and get a response, the arp cache would have the MAC. Failing that, just let the packet capture run, filtering on that IP address. -
The IP does not respond to a ping. But my ISP's dhcp does respond to a ping.
I think the only option is a packet capture. Not sure I want to leave it running for an extended period of time.
-
^ heheh exactly!!!
+1
Had a large fire agency in my county trying to hand out DHCP to cable system customers for almost two weeks till the techs paid them a visit. ;D ::)
-
At least my ISP is sneaky enough to isolate its clients from each other:
$ ifconfig em1 em1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic>ether 00:1b:21:14:ca:5e inet6 fe80::21b:21ff:fe14:ca5e%em1 prefixlen 64 scopeid 0x3 inet 88.xxx.yyy.181 netmask 0xffffe000 broadcast 88.xxx.zzz.255 inet 192.168.1.200 netmask 0xffffff00 broadcast 192.168.1.255 nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (100baseTX <full-duplex>) status: active $ ping 88.xxx.yyy.182 PING 88.xxx.yyy.182 (88.xxx.yyy.182): 56 data bytes ^C --- 88.xxx.yyy.182 ping statistics --- 1 packets transmitted, 0 packets received, 100.0% packet loss $ arp -an ... ? (88.xxx.yyy.182) at 00:0b:45:b6:ef:c0 on em1 expires in 1058 seconds [ethernet] ? (88.xxx.yyy.181) at 00:1b:21:14:ca:5e on em1 permanent [ethernet] ? (88.xxx.yyy.1) at 00:0b:45:b6:ef:c0 on em1 expires in 90 seconds [ethernet] ...</full-duplex></performnud,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic></up,broadcast,running,simplex,multicast>The .181 is my current IP address and the .1 address is the gateway on the WAN network and it (or more likely some equipment between me and the gateway device) seems to just proxy ARP every single IP address of the WAN network that is not assigned to you.
-
^^^^
Are you on a cable modem? I am and can see the arp requests for others, including on other subnets. However, I can't see any traffic from the others, as cable modems have separate channels for each direction. -
^^^^
Are you on a cable modem? I am and can see the arp requests for others, including on other subnets. However, I can't see any traffic from the others, as cable modems have separate channels for each direction.I can see every one of the cable modems via their local maintenance IP address on my system.
The reason you don't see their traffic is because the system acts like a switch and not a hub. They do block network shares however.
-
I'm on (A)DSL of a type that encapsulates ethernet frames into ATM, no PPPo(E|A). This type of connection would normally allow client to client traffic because it's just standard ethernet by all means, I've seen it working on a similar ADSL connection from my previous ISP many years ago but my current one (Sonera) seems to have other ideas.
Oh and of course we are only talking about layer 2 isolation here to disable broadcast based services such as DHCP, IP level connections such as SSH will still get trough.
-
^^^^
Are you on a cable modem? I am and can see the arp requests for others, including on other subnets. However, I can't see any traffic from the others, as cable modems have separate channels for each direction.Yes, cable modem. I do not see anything beyond my gateway. Since I am using an SG2440 I cannot start a packet trace in time to catch it. I'll keep watching for it, last week I had it blocked by a rule and it kept trying ever so often for hours. Today, I had it unblocked, trying to catch it's MAC and it only hit a few times.
I'm now thinking that I'll shutdown & restart while that IP is blocked, start packet trace, then disable the rule and see it it hits me.
Shell Output - arp -an ? (192.168.1.41) at 10:bf:48:x:x:x on igb1 expires in 586 seconds [ethernet] ? (192.168.1.8) at 90:b1:1c:x:x:x on igb1 expires in 1061 seconds [ethernet] ? (192.168.1.43) at 78:31:c1:x:x:x on igb1 expires in 584 seconds [ethernet] ? (192.168.1.107) at 70:48:0f:x:x:x on igb1 expires in 1196 seconds [ethernet] ? (192.168.1.10) at e0:3f:49:x:x:x on igb1 expires in 755 seconds [ethernet] ? (192.168.1.109) at 00:11:d9:x:x:x on igb1 expires in 1000 seconds [ethernet] ? (192.168.1.1) at 00:08:a2:x:x:x on igb1 permanent [ethernet] <---- LAN IP ? (192.168.1.125) at 70:14:a6:x:x:x on igb1 expires in 1187 seconds [ethernet] ? (192.168.1.30) at 00:1c:2a:x:x:x on igb1 expires in 614 seconds [ethernet] ? (192.168.1.126) at 48:e9:f1:x:x:x on igb1 expires in 1169 seconds [ethernet] ? (192.168.1.20) at c0:56:e3:x:x:x on igb1 expires in 1178 seconds [ethernet] ? (192.168.1.151) at 00:11:d9:x:x:x on igb1 expires in 1187 seconds [ethernet] ? (96.38.x.x) at 00:01:5c:x:x:x on igb0 expires in 884 seconds [ethernet] <---upstream gateway ? (96.38.x.x) at 00:08:a2:x:x:x on igb0 permanent [ethernet] <--- WAN IPI don't know how many users are on my subnet, I know that I'm the last drop on the line.
I'm locked out of the cable modem, I can only see the up/down SNR & power level.
Also, it may be worth noting the the cable modem is at the standard 192.168.100.1 and will toss out a dhcpack when the upstream sync is lost. I have that IP blocked. -
I don't understand your problem with using packet capture. Just configure it to capture only that IP address and let it run as long as it takes. It won't hurt anything. The hardware shouldn't make any difference for this. I run pfSense on a refurb computer.
I just fired up the packet capture for a few seconds and caught this:
09:15:43.648284 ARP, Request who-has 45.2.75.30 tell 45.2.75.1, length 46
09:15:43.675278 ARP, Request who-has 216.58.58.117 tell 216.58.58.97, length 46
09:15:43.764767 ARP, Request who-has 45.2.73.243 tell 45.2.73.129, length 46
09:15:43.810850 ARP, Request who-has 99.250.252.189 tell 99.250.240.1, length 46
09:15:43.875635 ARP, Request who-has 216.181.152.74 tell 216.181.152.1, length 46Once you've captured the traffic, you can download it and open the file with Wireshark, to better examine it, including reading the MAC address. Or you can just increase the detail level to display the full capture, including MAC addresses.
Incidentally, my preferred way to capture network traffic is with Wireshark, but since pfSense won't run it, I bought a small managed switch, which I configured for port mirroring. I then run Wireshark on my notebook computer, plugged into the monitoring port.
BTW, notice all the different subnets in that capture. My ISP has different subnets for customers and also carries traffic for a 3rd party ISP. There is also their home phone service in there, but I don't know what subnet it's on.
-
I guess I should have looked harder at the pfSense packet capture. I haven't gotten to that part of the pfSense book yet so I did not realize I could filter to capture only certain packets.
In other situations I've captured all and then filtered with wireshark after downloading. Great capability that capture can be fine tuned like that.
I'm using an unmanaged switch so no way to port mirror AFAIK.
I'll play around with this and see if I have any luck.
Thanks!! -
While the packet capture in pfSense is useful, I find Wireshark to be far more capable. For example, it supports filtering on the MAC address, which I don't see in packet capture. It also supports complex filters and has both capture and display filters. In addition, you can watch the captures in real time. For those reasons and more, I recently bought a cheap 5 port gigabit managed switch, so I could monitor in situations where Wireshark wouldn't be otherwise available.
In your case, just set packet capture to filter on that IP address and let it run for a while.
-
Yep, thanks for switch info. I just bought a 2nd unmanaged switch so am not very inclined to buy yet another.
But putting info into packet capture did the trick, after unblocking the IP I got it within 15 minutes. -
Whats the mac address coming from that 30 address? We can look it up and see what kind of hardware it is, or the maker of it..
00-01-5C-66-C0-04 CADANT INC., USA
-
And a couple of seconds of hard googling turns up this:
https://www.dslreports.com/forum/r25953464-TWC-Cadant-CMTS-wtf-Hudson-Valley-NY
-
Yeah cadant is cable modem. .. You can validate its not coming from our gateway mac and just something on the transit network that is your ISP connection to customers devices. If that is where the dhcp stuff is coming from - its most likely an idiot end user..
-
^^^^
He shouldn't be seeing anything from other users. Cable modem systems have separate upload and download channels and are not configured to allow direct access between users. -
But clearly his is.. So again he should bring this up to his ISP..
I see dhcp stuff on my wan for stuff that is clearly not me nor my modem..
None of these mac's in the sniff are mine or my modems.. I can view my modem macs on its config page.. And they don't match up to any of the ones listed in this sniff. My IP is a 24.13 address - not the 69.243 in this sniff. But atleast 69.243 is owned by comcast.
