Strange address Shown in the dhcp leases

firefox

this address Shown in the dhcp leases

What is this ???
![Screenshot from 2015-06-11 19:33:00.png](/public/imported_attachments/1/Screenshot from 2015-06-11 19:33:00.png)
![Screenshot from 2015-06-11 19:33:00.png_thumb](/public/imported_attachments/1/Screenshot from 2015-06-11 19:33:00.png_thumb)

doktornotor

And? What's strange about 192.168.0.34? Or you mean the MAC? Everyone can set their MAC to anything they want in seconds, including invalid values.

Jailer

I have the same entry, different IP and it's set to never expire. It's not any device in my network.

MikeV7896

Maybe a VM on one of your computers? I don't have that MAC showing up in my list…

Jailer

checking now but even if it is why would it be set to never expire?

firefox

i dont have VM
and i mean the MAC
and the status cltt 3

what is cltt 3 ??

johnpoz

prob got some kind of corruption in the leases db.. just delete it..

firefox

It come back
this time Listed cltt 5 not 3

Could it be that someone is trying to get in to the network
Wirelessly ??

johnpoz

Why don't you look in the actual file for what it shows for the end date, and see what we have..

example
[2.2.2-RELEASE][root@pfSense.local.lan]/var/dhcpd/var/db: cat dhcpd.leases

lease 192.168.2.216 {
starts 6 2015/06/13 12:04:00;
ends 3 2015/06/17 12:04:00;
cltt 6 2015/06/13 12:04:00;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet ac:fd:ec:62:34:97;
uid "\001\254\375\354b4\227";
client-hostname "Johns-Phone";

cltt stands for Client Last Transaction Time, not sure why its showing that vs the end date? I would also track down what device it is, that is clearly an ODD mac..

firefox

how do i see this file

i did ssh to the Machine (Reminds me person of interest)
and Paste this /var/dhcpd/var/db: cat dhcpd.leases

i got this
/var/dhcpd/var/db:: Too many arguments.

divsys

i did ssh to the Machine (Reminds me person of interest)
and Paste this /var/dhcpd/var/db: cat dhcpd.leases

try:
cd /var/dhcpd/var/db
cat dhcpd.leases

or:
cat /var/dhcpd/var/db/dhcpd.leases

or:

less /var/dhcpd/var/db/dhcpd.leases

These are basic FreeBSD commands.
There are many primers/HowTos on the commands and how/when to use them available with a quick Google search.

firefox

this is what i got

# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-4.2.6

lease 192.168.0.30 {
  starts 1 2015/05/25 04:04:19;
  ends 1 2015/05/25 06:04:19;
  tstp 1 2015/05/25 06:04:19;
  cltt 1 2015/05/25 04:04:19;
  binding state free;
  hardware ethernet 00:1c:85:0d:1d:68;
  uid "\001\000\034\205\015\035h";
}
lease 192.168.0.31 {
  starts 3 2015/05/27 12:43:26;
  ends 3 2015/05/27 14:43:26;
  tstp 3 2015/05/27 14:43:26;
  cltt 3 2015/05/27 12:43:26;
  binding state free;
  hardware ethernet 54:35:30:b1:da:f5;
  uid "\001T50\261\332\365";
}
lease 192.168.0.32 {
  starts 0 2015/05/31 19:16:46;
  ends 0 2015/05/31 21:16:46;
  tstp 0 2015/05/31 21:16:46;
  cltt 0 2015/05/31 19:16:46;
  binding state free;
  hardware ethernet 94:35:0a:23:07:f3;
  uid "\001\2245\012#\007\363";
}
lease 192.168.0.33 {
  starts 4 2015/06/04 06:42:41;
  ends 5 2015/06/05 06:42:41;
  tstp 5 2015/06/05 06:42:41;
  cltt 4 2015/06/04 06:42:41;
  binding state free;
  hardware ethernet 0c:74:c2:e1:78:f9;
  uid "\001\014t\302\341x\371";
}
lease 192.168.0.36 {
  starts 4 2015/06/11 15:39:16;
  ends 4 2015/06/11 17:39:16;
  tstp 4 2015/06/11 17:39:16;
  cltt 4 2015/06/11 15:39:16;
  binding state free;
  hardware ethernet f8:d1:11:16:4b:d9;
}
lease 192.168.0.35 {
  starts 4 2015/06/11 15:41:11;
  ends 4 2015/06/11 17:41:11;
  tstp 4 2015/06/11 17:41:11;
  cltt 4 2015/06/11 15:41:11;
  binding state free;
  hardware ethernet 00:1b:38:46:27:6b;
}
lease 192.168.0.37 {
  starts 4 2015/06/11 15:41:19;
  ends 4 2015/06/11 17:41:19;
  tstp 4 2015/06/11 17:41:19;
  cltt 4 2015/06/11 15:41:19;
  binding state free;
  hardware ethernet 00:1c:bf:11:dc:62;
}
lease 192.168.0.42 {
  starts 5 2015/06/12 08:38:46;
  ends 5 2015/06/12 10:38:46;
  tstp 5 2015/06/12 10:38:46;
  cltt 5 2015/06/12 08:38:46;
  binding state free;
  hardware ethernet 94:35:0a:23:07:f3;
  uid "\001\2245\012#\007\363";
}
server-duid "\000\001\000\001\034c\215 \000\002\263\013\253.";

hda

@firefox:

Could it be that someone is trying to get in to the network. Wirelessly ??

If you are suspicious about (wireless) connections, then do ACL, explicitly allow MAC addresses (therefore deny the undefined) in your AP.

firefox

what is ACL ?

hda

Access Control List(s)

In pfSense have look at Services: DHCP server [MAC Address Control]

firefox

@johnpoz:

Why don't you look in the actual file for what it shows for the end date, and see what we have..

example
[2.2.2-RELEASE][root@pfSense.local.lan]/var/dhcpd/var/db: cat dhcpd.leases

lease 192.168.2.216 {
starts 6 2015/06/13 12:04:00;
ends 3 2015/06/17 12:04:00;
cltt 6 2015/06/13 12:04:00;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet ac:fd:ec:62:34:97;
uid "\001\254\375\354b4\227";
client-hostname "Johns-Phone";

cltt stands for Client Last Transaction Time, not sure why its showing that vs the end date? I would also track down what device it is, that is clearly an ODD mac..

Where the last line ```
client-hostname "Johns-Phone";


It is not registered anything in the output of the command (in my computer)

and now it is cltt 6

lease 192.168.0.43 {
starts 6 2015/06/13 21:31:09;
ends never;
cltt 6 2015/06/13 21:31:09;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet 0000:00:00:00;


How exactly do I use with this ACL option

I have to enroll all Mac addresses of all computers on the network
One by one comma separated

it says partial MAC addresses
Which part ?

motionthings

edit3
My post was about wireless security, and did not belong here.
I'll not be offended if it gets deleted. http://pastebin.com/QaGHXbU4
/edit 3

edit2
Looks like @cmb has a really good answer. Thanks :-)
/edit2

hda

@firefox:

…
it says partial MAC addresses
Which part ?

http://www.gcstech.net/macvendor/index.php?node=macsea

cmb

That's a BOOTP lease, which is why it looks weird.

Hostnames are only there where the client sends one. It not having one isn't unusual, especially for the types of devices that do BOOTP.

There are very limited devices that use BOOTP. Generally they're very old (1990s era printers for instance), or atypical embedded devices. It could be some broken device as well.

It seems to be a semi-active device, or at least your time of last contact (cltt) seems to update. If you have a managed switch, try tracking down that MAC address' port and see what's plugged into it. If you don't have a managed switch it'll be harder to track down, though not too difficult if you have a small network. Unplug most things, see if it's still updating. Add things back one by one. See when that comes back. Or just try reaching the device to see what it's running. A nmap scan with OS identification enabled might be telling.

cmb

@Jailer:

checking now but even if it is why would it be set to never expire?

BOOTP leases never expire.