Request for dhcp from strange address?

JKnott

While the packet capture in pfSense is useful, I find Wireshark to be far more capable.  For example, it supports filtering on the MAC address, which I don't see in packet capture.  It also supports complex filters and has both capture and display filters.  In addition, you can watch the captures in real time.  For those reasons and more, I recently bought a cheap 5 port gigabit managed switch, so I could monitor in situations where Wireshark wouldn't be otherwise available.

In your case, just set packet capture to filter on that IP address and let it run for a while.

JonH

Yep, thanks for switch info.  I just bought a 2nd unmanaged switch so am not very inclined to buy yet another.
But putting info into packet capture did the trick, after unblocking the IP I got it within 15 minutes.

JonH

@johnpoz:

Whats the mac address coming from that 30 address?  We can look it up and see what kind of hardware it is, or the maker of it..

00-01-5C-66-C0-04 CADANT INC., USA

JKnott

And a couple of seconds of hard googling turns up this:

https://www.dslreports.com/forum/r25953464-TWC-Cadant-CMTS-wtf-Hudson-Valley-NY

johnpoz

Yeah cadant is cable modem. ..  You can validate its not coming from our gateway mac and just something on the transit network that is your ISP connection to customers devices.  If that is where the dhcp stuff is coming from - its most likely an idiot end user..

JKnott

^^^^
He shouldn't be seeing anything from other users.  Cable modem systems have separate upload and download channels and are not configured to allow direct access between users.

johnpoz

But clearly his is..  So again he should bring this up to his ISP..

I see dhcp stuff on my wan for stuff that is clearly not me nor my modem..

None of these mac's in the sniff are mine or my modems.. I can view my modem macs on its config page..  And they don't match up to any of the ones listed in this sniff.  My IP is a 24.13 address - not the 69.243 in this sniff.  But atleast 69.243 is owned by comcast.

JKnott

You're showing DHCP offer and ACK, which come from the server, not a client.  As I showed in my capture, there are several subnets used (in fact, mine wasn't even listed in that capture).  My ISP has multiple subnets for it's own customers and when I enabled IPv6, my IPv4 subnet changed.  As I mentioned, my ISP also has a VoIP service, which likely has it's own subnet and they also carry a 3rd party ISP, which would have it's own subnet(s).  So, don't assume that DHCP traffic from other than your subnet is a customer doing something wrong.  There are very likely multiple subnets on your cable that belong there.

JKnott

Here is another capture, showing MAC addresses:
11:13:45.500356 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 216.181.149.59 tell 216.181.149.1, length 46
11:13:45.592614 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 104.234.121.179 tell 104.234.121.129, length 46
11:13:45.641095 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 108.162.159.209 tell 108.162.159.193, length 46
11:13:45.695279 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 216.181.149.55 tell 216.181.149.1, length 46
11:13:45.747911 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 72.53.68.56 tell 72.53.68.33, length 46
11:13:45.862704 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 174.112.15.15 tell 174.112.14.1, length 46
11:13:45.910888 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 99.250.254.122 tell 99.250.240.1, length 46
11:13:45.987876 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 104.204.120.177 tell 104.204.120.129, length 46
11:13:46.031307 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 99.250.255.115 tell 99.250.240.1, length 46
11:13:46.090016 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 23.248.49.10 tell 23.248.49.1, length 46
11:13:46.143425 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 209.141.165.126 tell 209.141.165.97, length 46
11:13:46.206859 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 72.53.67.101 tell 72.53.67.97, length 46
11:13:46.274995 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 107.150.250.245 tell 107.150.250.129, length 46
11:13:46.393292 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 72.53.68.53 tell 72.53.68.33, length 46
11:13:46.397089 00:17:10:91:04:1f > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 198.16.252.96 tell 198.16.252.97, length 46

Notice that there are several subnets, but all the requests come from the same MAC address.  Also, the link I found earlier says that company makes CMTS equipment, of the type used by the ISP.  The cable modems tend to come from other companies.  For example, mine is from Hitron, but Wireshark shows the DHCP server's MAC address is from "Casa", whoever that is.

JonH

It was never my intention to get this deep into why I was getting a request from a strange dhcp server.  It's been interesting tho and I have learned a few things.

Regarding my ISP provided cable modem and other customers on the same subnet, my ISP upgraded my modem about a month ago, it has more channels.  I have 8 bonded downstream channels and 4 upstream, 3 of which are bonded.  I have no access to the other features in the modem except to see the status page.

In the past, I did see other customers, I cannot see them now.  One item shown on status page which may explain this is "DOCSIS Privacy = Enabled".  I have not attempted to find out what that means but assume it explains why I don't see others on the subnet.  I do not recall if the privacy option was on my prior modem or not.

Since obtaining the MAC of the stray dhcp server, I can add this to the discussion.
The stray MAC is:  00:01:5c:66:c0:04
The MAC of my upstream gateway is:  00:01:5c:66:c0:46

Since the equipment of the upstream gateway is only 66d difference in MAC address I assume that the device that is giving me the stray dhcp offer belongs to my ISP.