How do you find devices w/ Link-local IPv4 address on your network
-
Trying to troubleshoot network, I have a couple of lagg groups as well as some vlans defined in the network. This issue is recent and have not always been there.
I see several ipv4 link-local addresses in the firewall log. The problem is that I have around 100+ devices on the network that are spread out all over the place, how do I isolate which device on the network have the link-local addresses (implying that these devices were not able to successfully get a DHCP lease). Also, the firewall log does not show the MAC address of the devices with link-local address. Here's an example of mDNS & DHCP related firewall log entries:
lagg0: 169.254.241.174:5353-->224.0.0.251:5353 UDP lagg1: 169.254.241.174:5353-->224.0.0.251:5353 UDP lagg0: 0.0.0.0:68--> 255.255.255.255.67 lagg1: 0.0.0.0:68--> 255.255.255.255.67Thanks you!
-
Have a look at the arp table.
Pop the mac addresses here and you may see the vendor:-
https://www.wireshark.org/tools/oui-lookup.html
You also may be able to check the switch the devices are connected to by looking at the cam table.
-
Thanks for your response.
That's exactly the problem. The firewall log for the link-local addresses do not show the mac addresses otherwise it would have been easy to isolate the target device to a vendor. The whole issue is finding the MAC addresses of devices with the link-local address.
Thanks!
-
There is an arp table on the router, under diagnostics IIRC.
-
Arp table normally not going to show link-local addresses..
Best is to just sniff to see the traffic, then look up the vendor from the mac.
If your saying they can not get a dhcp, you could also look in the dhcp log which will show mac to who is not getting an IP but asking for one - quite often they will be asking a lot ;)
With so many devices I would hope you also have a smart switch so you can look in its mac address table to help track down where the device is once you have the mac.
-
@NogBadTheBad Thanks for chiming in. Unfortunately, ARP table does not show MAC addresses.
-
@johnpoz You’re absolutely right. ARP table does not show MAC addresses. What utility/tool could I use on the pfsense to sniff the traffic? I have several interfaces on the pfsense, with each interface on a separate VLAN. My desktop is connected to one of the subnets/VLAN that has no issue with connectivity. If I ran wireshark on my desktop, then I would not see any 169.x.x.x link-local addresses So, I need to be able to run sniffer in the pfsense box.
I will check out the dhcp log as suggested. Also, looking at the MAC table on the switch is an excellent idea.
Thanks so much, John. Appreciate your help.
-rsa
-
This post is deleted! -
@jdeloach ARP table shows MAC addresses for only non link-local addresses. I’m trying to hunt down devices on my network that for some reason are not getting DHCP assigned address. As mentioned in my initial post, the firewall log is getting flooded by link local addresses that’s emanating from a LAGG group. Each lab group has multiple VLANs defined. Therefore I’m not able to isolate the problem down to a particular subnet or a VLAN. Thus making it difficult to isolate target devices.
-
@rsaanon said in How do you find devices w/ Link-local IPv4 address on your network:
So, I need to be able to run sniffer in the pfsense box.
If you can't see those packets on a desktop system, why do you think you'll see them with pfSense? Since link local packets are confined to the local network, they won't pass through pfSense. The best you can do is watch for broadcasts or multicasts from those devices, which should be sent to all devices on a switch. For example, when a device connects, you should see Duplicate Address Detection packets. You might also see mDNS.
-
@jdeloach said in How do you find devices w/ Link-local IPv4 address on your network:
Huh!!!
PfSense or any other device will only have arp cache entries for devices that have recently communicated with that device. After a while, the entry will time out and be removed from the cache. One possibility would be to run a script that periodically checks the cache to collect new addresses. Judging from the cache contents of my system, it appears the cache times out after 10 minutes, so running the script every 5 minutes for a period of time would collect most, if not all the MACs.
-
^ exactly why would a link-local IP be taking to pfsense that doesn't have a link-local address... This is why you wouldn't see it in the arp table..
Just sniff on the interface connected to the interface your seeing the traffic blocked on.. this lagg0 and lagg1 - you will get the traffic and then can view the mac address it came from.
-
Yeah, I just checked that. Arp cache won't catch anything that's not in the subnet. I suppose tcpdump --immediate-mode might work to capture for a script.
