Strange address Shown in the dhcp leases



  • this address Shown in the dhcp leases

    What is this ???
    ![Screenshot from 2015-06-11 19:33:00.png](/public/imported_attachments/1/Screenshot from 2015-06-11 19:33:00.png)
    ![Screenshot from 2015-06-11 19:33:00.png_thumb](/public/imported_attachments/1/Screenshot from 2015-06-11 19:33:00.png_thumb)


  • Banned

    And? What's strange about 192.168.0.34? Or you mean the MAC? Everyone can set their MAC to anything they want in seconds, including invalid values.



  • I have the same entry, different IP and it's set to never expire. It's not any device in my network.



  • Maybe a VM on one of your computers? I don't have that MAC showing up in my list…



  • checking now but even if it is why would it be set to never expire?



  • i dont have VM
    and i mean the MAC
    and the status  cltt 3

    what is  cltt 3    ??


  • LAYER 8 Global Moderator

    prob got some kind of corruption in the leases db.. just delete it..



  • It come back
    this time Listed cltt 5 not 3

    Could it be that someone is trying to get in to the network
    Wirelessly ??


  • LAYER 8 Global Moderator

    Why don't you look in the actual file for what it shows for the end date, and see what we have..

    example
    [2.2.2-RELEASE][root@pfSense.local.lan]/var/dhcpd/var/db: cat dhcpd.leases

    lease 192.168.2.216 {
      starts 6 2015/06/13 12:04:00;
      ends 3 2015/06/17 12:04:00;
      cltt 6 2015/06/13 12:04:00;
      binding state active;
      next binding state free;
      rewind binding state free;
      hardware ethernet ac:fd:ec:62:34:97;
      uid "\001\254\375\354b4\227";
      client-hostname "Johns-Phone";

    cltt stands for Client Last Transaction Time, not sure why its showing that vs the end date?  I would also track down what device it is, that is clearly an ODD mac..



  • how do i see this file

    i did ssh to the Machine (Reminds me person of interest)
    and Paste this /var/dhcpd/var/db: cat dhcpd.leases

    i got this
    /var/dhcpd/var/db:: Too many arguments.



  • i did ssh to the Machine (Reminds me person of interest)
    and Paste this /var/dhcpd/var/db: cat dhcpd.leases

    try:
    cd /var/dhcpd/var/db
    cat dhcpd.leases

    or:
    cat /var/dhcpd/var/db/dhcpd.leases

    or:

    less /var/dhcpd/var/db/dhcpd.leases

    These are basic FreeBSD commands.
    There are many primers/HowTos on the commands and how/when to use them available with a quick Google search.



  • this is what i got

    # The format of this file is documented in the dhcpd.leases(5) manual page.
    # This lease file was written by isc-dhcp-4.2.6
    
    lease 192.168.0.30 {
      starts 1 2015/05/25 04:04:19;
      ends 1 2015/05/25 06:04:19;
      tstp 1 2015/05/25 06:04:19;
      cltt 1 2015/05/25 04:04:19;
      binding state free;
      hardware ethernet 00:1c:85:0d:1d:68;
      uid "\001\000\034\205\015\035h";
    }
    lease 192.168.0.31 {
      starts 3 2015/05/27 12:43:26;
      ends 3 2015/05/27 14:43:26;
      tstp 3 2015/05/27 14:43:26;
      cltt 3 2015/05/27 12:43:26;
      binding state free;
      hardware ethernet 54:35:30:b1:da:f5;
      uid "\001T50\261\332\365";
    }
    lease 192.168.0.32 {
      starts 0 2015/05/31 19:16:46;
      ends 0 2015/05/31 21:16:46;
      tstp 0 2015/05/31 21:16:46;
      cltt 0 2015/05/31 19:16:46;
      binding state free;
      hardware ethernet 94:35:0a:23:07:f3;
      uid "\001\2245\012#\007\363";
    }
    lease 192.168.0.33 {
      starts 4 2015/06/04 06:42:41;
      ends 5 2015/06/05 06:42:41;
      tstp 5 2015/06/05 06:42:41;
      cltt 4 2015/06/04 06:42:41;
      binding state free;
      hardware ethernet 0c:74:c2:e1:78:f9;
      uid "\001\014t\302\341x\371";
    }
    lease 192.168.0.36 {
      starts 4 2015/06/11 15:39:16;
      ends 4 2015/06/11 17:39:16;
      tstp 4 2015/06/11 17:39:16;
      cltt 4 2015/06/11 15:39:16;
      binding state free;
      hardware ethernet f8:d1:11:16:4b:d9;
    }
    lease 192.168.0.35 {
      starts 4 2015/06/11 15:41:11;
      ends 4 2015/06/11 17:41:11;
      tstp 4 2015/06/11 17:41:11;
      cltt 4 2015/06/11 15:41:11;
      binding state free;
      hardware ethernet 00:1b:38:46:27:6b;
    }
    lease 192.168.0.37 {
      starts 4 2015/06/11 15:41:19;
      ends 4 2015/06/11 17:41:19;
      tstp 4 2015/06/11 17:41:19;
      cltt 4 2015/06/11 15:41:19;
      binding state free;
      hardware ethernet 00:1c:bf:11:dc:62;
    }
    lease 192.168.0.42 {
      starts 5 2015/06/12 08:38:46;
      ends 5 2015/06/12 10:38:46;
      tstp 5 2015/06/12 10:38:46;
      cltt 5 2015/06/12 08:38:46;
      binding state free;
      hardware ethernet 94:35:0a:23:07:f3;
      uid "\001\2245\012#\007\363";
    }
    server-duid "\000\001\000\001\034c\215 \000\002\263\013\253.";
    
    


  • @firefox:

    Could it be that someone is trying to get in to the network. Wirelessly ??

    If you are suspicious about (wireless) connections, then do ACL, explicitly allow MAC addresses (therefore deny the undefined) in your AP.



  • what is ACL ?



  • Access Control List(s)

    In pfSense have look at Services: DHCP server [MAC Address Control]



  • @johnpoz:

    Why don't you look in the actual file for what it shows for the end date, and see what we have..

    example
    [2.2.2-RELEASE][root@pfSense.local.lan]/var/dhcpd/var/db: cat dhcpd.leases

    lease 192.168.2.216 {
      starts 6 2015/06/13 12:04:00;
      ends 3 2015/06/17 12:04:00;
      cltt 6 2015/06/13 12:04:00;
      binding state active;
      next binding state free;
      rewind binding state free;
      hardware ethernet ac:fd:ec:62:34:97;
      uid "\001\254\375\354b4\227";
      client-hostname "Johns-Phone";

    cltt stands for Client Last Transaction Time, not sure why its showing that vs the end date?  I would also track down what device it is, that is clearly an ODD mac..

    Where the last line ```
    client-hostname "Johns-Phone";

    
    It is not registered anything in the output of the command (in my computer)
    
    and now it is cltt 6
    
    

    lease 192.168.0.43 {
      starts 6 2015/06/13 21:31:09;
      ends never;
      cltt 6 2015/06/13 21:31:09;
      binding state active;
      next binding state free;
      rewind binding state free;
      hardware ethernet 00🆎00:00:00:00;

    
    How exactly do I use with this ACL option
    
    I have to enroll all Mac addresses of all computers on the network
    One by one comma separated
    
    it says partial MAC addresses
    Which part ?


  • edit3
    My post was about wireless security, and did not belong here.
    I'll not be offended if it gets deleted. http://pastebin.com/QaGHXbU4
    /edit 3

    edit2
    Looks like @cmb has a really good answer. Thanks :-)
    /edit2



  • @firefox:


    it says partial MAC addresses
    Which part ?

    http://www.gcstech.net/macvendor/index.php?node=macsea



  • That's a BOOTP lease, which is why it looks weird.

    Hostnames are only there where the client sends one. It not having one isn't unusual, especially for the types of devices that do BOOTP.

    There are very limited devices that use BOOTP. Generally they're very old (1990s era printers for instance), or atypical embedded devices. It could be some broken device as well.

    It seems to be a semi-active device, or at least your time of last contact (cltt) seems to update. If you have a managed switch, try tracking down that MAC address' port and see what's plugged into it. If you don't have a managed switch it'll be harder to track down, though not too difficult if you have a small network. Unplug most things, see if it's still updating. Add things back one by one. See when that comes back. Or just try reaching the device to see what it's running. A nmap scan with OS identification enabled might be telling.



  • @Jailer:

    checking now but even if it is why would it be set to never expire?

    BOOTP leases never expire.



  • That MAC seems to be something a number of other people have seen pulling BOOTP leases, though at a glance through Google results I don't see anyone who found the source of it. Might be worthwhile to dig through those results more closely.
    https://www.google.com/webhp?q="00🆎00:00:00:00"



  • I know
    Already encountered this once
    Last time i  simply blocked the address

    This time I wanted to know where it came from


  • LAYER 8 Global Moderator

    well track it down – its clearly on your network..



  • I've checked
    No device in my network
    Have such address

    That's why I ask

    I blocked it again
    As before



  • Yeah it's definitely not a device on my network, this is my home network and every device is accounted for.

    Could it possibly be my Dlink router that I'm using as an AP? DHCP is turned off on the router but the wireless does occasionally quit working, especially when it gets warmer out, requiring a power cycle to restore it.


  • LAYER 8 Global Moderator

    Sorry but its has to be something on your network..

    Could be something like a media player, dvr, doubt its your dlink.. But sure..  When you delete the lease how long until it comes back?  Is it every 24 hours, every 1 hour, every 10 minutes?  Does it ping to that IP you gave it?

    What interface are you seeing it on?  Lan, Wan, Wireless?  You don't have a smart switch that shows you mac address table?



  • Shows up on LAN, no smart switch. I'll have to check when I get home to see if it's back again. Had a power outage yesterday and as of last night it wasn't there.


  • LAYER 8 Global Moderator

    Is your lan bridged to your wireless?  If showing up on your lan - clearly its on your network ;)



  • No bridge, just DHCP disabled and static IP so it's working as an AP. pfsense is handling all the routing.

    Checked my leases and it's not there any more. I dunno, maybe something left over from one of the many VM's I've had running? I'm out of ideas.


  • LAYER 8 Global Moderator

    So your wireless is on the same network as your lan - ie bridged..



  • If that's what "bridged" means then yes. It is on the same subnet as LAN.



  • @johnpoz:

    Sorry but its has to be something on your network..

    Could be something like a media player, dvr, doubt its your dlink.. But sure..  When you delete the lease how long until it comes back?  Is it every 24 hours, every 1 hour, every 10 minutes?  Does it ping to that IP you gave it?

    What interface are you seeing it on?  Lan, Wan, Wireless?  You don't have a smart switch that shows you mac address table?

    Here is a list of all the addresses on my network
    1-27 are static addresses

    and 43 is Dynamic address

    If I shut down the DHCP
    I assume he could not get access to the network
    but Guests also can not

    If I delete this address
    After a while, it comes back
    Can be after 10 minutes
    Can be after two hours
    Can be after 16 hours
    No fixed time

    You can not ping to it

    PING 192.168.0.43 (192.168.0.43) 56(84) bytes of data.
    From 192.168.0.2 icmp_seq=1 Destination Host Unreachable
    From 192.168.0.2 icmp_seq=2 Destination Host Unreachable
    From 192.168.0.2 icmp_seq=3 Destination Host Unreachable
    From 192.168.0.2 icmp_seq=4 Destination Host Unreachable
    From 192.168.0.2 icmp_seq=5 Destination Host Unreachable
    From 192.168.0.2 icmp_seq=6 Destination Host Unreachable
    From 192.168.0.2 icmp_seq=7 Destination Host Unreachable
    From 192.168.0.2 icmp_seq=8 Destination Host Unreachable
    From 192.168.0.2 icmp_seq=9 Destination Host Unreachable
    
    

    I do not have a smart switch
    i see this address on my LAN
    i have WAN ,LAN, WIFI, and BRIDGE (lan and wifi)

    I have 2 routers that serve as an access point
    edimax 192.168.0.104
    dlink 192.168.0.101
    a network card on the pfsense also as AP (the wifi)
    and one cisco access point (192.168.0.25)
    all have fixed (static) IP
    DHCP shut down in the routers

    I went physically at home  to each device that connects to the network
    And checked Mack addresses the same as in the DHCP leases

    ![mac address.png](/public/imported_attachments/1/mac address.png)
    ![mac address.png_thumb](/public/imported_attachments/1/mac address.png_thumb)



  • If you have a *NIX box on your network you can run nmap to do some network discovery and determine what is where.  I think there's also an nmap package for pfSense that would also scan your network and determine what is running where.  Very handy and powerful utility.



  • what is "NIX box" ??

    Know the package which is installed
    It does not show anything


  • LAYER 8 Global Moderator

    Well without 3 different AP and wireless and wired on the same lan without a smart switch.. Yeah going to have a hard time tracking it down.

    So your sure its showing up on your lan interface?  Or your just seeing it hit your dhcp server?  Why don't you sniff for the bootp packets..  This might give you some better clue to what the device in the details of the packet.

    And you don't need a nix (unix/linux) box to run nmap, runs on windows just fine.  Not sure that would help - the OS identification isn't very good if you ask me.

    So can not ping, but it arps??  So when you try and ping that IP, and you look in your arp table you see it?

    Destination host unreach normally means it didn't arp..

    So no real AP, or smart switch - tracking down something like this can be tricky.. If you had a smart switch and real AP you could see where the mac is listed on physical port and what macs are trying to associate to your AP..

    So is your wireless open, or secured..  Change your psk, if can not assoicate with your wireless its not possible for it to get a lease from your dhcp server.  If still happens could be one of your routers acting as AP..  Turn 1 off at a time until you don't get it showing up any more.

    Do you run any sort of visualization.. How did you check for the mac exactly on all your devices?



  • So your sure its showing up on your lan interface?  Or your just seeing it hit your dhcp server?

    i see it on the DHCP leases not in the dhcp server

    Why don't you sniff for the bootp packets..  This might give you some better clue to what the device in the details of the packet.

    how do i do that ?

    So can not ping, but it arps??  So when you try and ping that IP, and you look in your arp table you see it?

    no cant see it in the arp

    there are all the options

    Running: /usr/local/bin/nmap  -sP -PR '192.168.0.43'
    Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-16 17:03 IDT
    Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
    Nmap done: 1 IP address (0 hosts up) scanned in 0.52 seconds
    
    Running: /usr/local/bin/nmap  -sS -P0 -sV -O '192.168.0.43'
    Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-16 17:04 IDT
    Nmap done: 1 IP address (0 hosts up) scanned in 2.95 seconds
    
    Running: /usr/local/bin/nmap  -sT '192.168.0.43'
    Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-16 17:05 IDT
    Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
    Nmap done: 1 IP address (0 hosts up) scanned in 0.49 seconds
    
    Running: /usr/local/bin/nmap  -sS -P0 -sV -O '192.168.0.43'
    Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-16 17:06 IDT
    Nmap done: 1 IP address (0 hosts up) scanned in 2.07 seconds
    
    

    So no real AP, or smart switch - tracking down something like this can be tricky.. If you had a smart switch and real AP you could see where the mac is listed on physical port and what macs are trying to associate to your AP..

    the cisco is real access point

    So is your wireless open, or secured

    my wireless is secured

    If still happens could be one of your routers acting as AP..

    my routers  are acting as AP as i said

    Do you run any sort of visualization.. How did you check for the mac exactly on all your devices?

    i went to every computer and tv and printer and lap top
    and check (i go to setting Depending on the device And saw the mac address)

    ![home.plex - Status DHCP leases - 2015-06-16_17.10.12.png](/public/imported_attachments/1/home.plex - Status DHCP leases - 2015-06-16_17.10.12.png)
    ![home.plex - Status DHCP leases - 2015-06-16_17.10.12.png_thumb](/public/imported_attachments/1/home.plex - Status DHCP leases - 2015-06-16_17.10.12.png_thumb)
    ![home.plex - Diagnostics ARP Table - 2015-06-16_17.16.50.png](/public/imported_attachments/1/home.plex - Diagnostics ARP Table - 2015-06-16_17.16.50.png)
    ![home.plex - Diagnostics ARP Table - 2015-06-16_17.16.50.png_thumb](/public/imported_attachments/1/home.plex - Diagnostics ARP Table - 2015-06-16_17.16.50.png_thumb)
    ![Cisco IOS Series AP - 2015-06-16_17.18.38.png](/public/imported_attachments/1/Cisco IOS Series AP - 2015-06-16_17.18.38.png)
    ![Cisco IOS Series AP - 2015-06-16_17.18.38.png_thumb](/public/imported_attachments/1/Cisco IOS Series AP - 2015-06-16_17.18.38.png_thumb)


  • LAYER 8 Global Moderator

    diag, packet capture will allow you to sniff..  Pick your lan interface, UDP and either port 67 or 68 since these are the ports bootp/dhcp will be on.

    Let it run until you see the lease show up with that weird mac in it, if you have a lot of dhcp on your network then you might need to change the 100 packet limit to 0 or something greater to catch the packets.

    Then download it and check it wireshark.

    example see attached - you can validate the discover is from the odd ball mac, and then look into the details of the packet and you might get some info that helps you identify what is actually asking for ip.

    If you can not see it in arp, your not going to be able to nmap scan it.  Turn off your other AP, do you still get it - then look in the AP for associated clients..  If you change your psk, would seem unlikely the device could associate with your wireless and get an IP..  So either its an actual AP device asking for it, or something wired.

    So are any of your machines running any visualization software?




  • diag, packet capture will allow you to sniff..  Pick your lan interface, UDP and either port 67 or 68 since these are the ports bootp/dhcp will be on.

    Let it run until you see the lease show up with that weird mac in it, if you have a lot of dhcp on your network then you might need to change the 100 packet limit to 0 or something greater to catch the packets.

    you mean this in the image ?

    ![Screenshot from 2015-06-16 18:30:45.png](/public/imported_attachments/1/Screenshot from 2015-06-16 18:30:45.png)
    ![Screenshot from 2015-06-16 18:30:45.png_thumb](/public/imported_attachments/1/Screenshot from 2015-06-16 18:30:45.png_thumb)


  • LAYER 8 Global Moderator

    What??  No diagnostics on your pfsense menu, packet capture.. You don't need to install any package to do sniffs.




  • i try it with 67 and 68 port
    and the IP of the Weird mac address

    and i got Nothing

    ![Screenshot from 2015-06-17 07:04:38.png](/public/imported_attachments/1/Screenshot from 2015-06-17 07:04:38.png)
    ![Screenshot from 2015-06-17 07:04:38.png_thumb](/public/imported_attachments/1/Screenshot from 2015-06-17 07:04:38.png_thumb)


Log in to reply