DHCP request from nowhere

Hi,
In our DHCP server (French Windows 2k3 R2), we have records showing type
DHCP/BOOTP with a unique ID 31302e302e39302e31353xx.
Does someone know what could create entries like that ?
Every 10-15 minutes, a different record is created.
To be able to see those records, I have to go on my scope, right-click
Reconcile, Verify, Reconcile and then I can see the record.
Thanks for your help.

 

Hello Normand,

Any devide which is enabled to use DHCP, switches, printers, computers of
course, handheld if network ready etc.......

Best regards

Meinolf Weber

 

Get the MAC address of the device or client, then log into your switch to determine what port it is on.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer


For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right things." - Peter F. Drucker
http://twitter.com/acefekay

 

Hi Meinolf,
But one device can create multiple records in DHCP ?
The unique ID is supposed to be the MAC address of the device but in my
case, unique ID is 31302e302e39302e31353100, 31302e302e39302e31353200,
31302e302e39302e31353300, etc.
Thanks.

 

Hi Ace,
How can I find MAC address of that device ? MAC is supposed to be indicated
under Unique ID but what I have is 31302e302e39302e31353100,
31302e302e39302e31353200, 31302e302e39302e31353300, etc. for each record.
Thanks for any more help.


"Ace Fekay [Microsoft Certified Trainer]" <> a
écrit dans le message de groupe de discussion :
...

 

Hello Normand,

Ping the ip address of that item and then run "arp -a" in a command prompt,
the list should also show the MAC for the ip address from that device.

Best regards

Meinolf Weber

 

I did that and I can't ping the device with that Ip address.
Always receive a request time out.

 

Wow, that is odd. The uniqueID should be 12 characters. You are seeing a 24 bit MAC. Let's break it down.

For:
3130 2e30 2e39 302e 3135 3100
(put into calc as Hex, then changed from Qword to Dword) and got:

2E 39 30 2E 00

Do you see that MAC? If not, how about any of the following?

31 2e 30 31 31
or
30 30 39 2e 35 00


Ace

 

Hi Ace,

Nothing like that in my DHCP records.
Kind of bizarre thing.


"Ace Fekay [Microsoft Certified Trainer]" <> a
écrit dans le message de groupe de discussion :
...

 

No, not in DHCP records, I mean after breaking it down as I suggested (and that was just a stab at it), to look for that number as a possible MAC in the switche's ARP or MAC table.

Ace

 

Hi folks,

We are experiencing the same issue. Several Windows 2003 SP2 DHCP servers
have scopes that become completely exhausted over time for no clear reason.

Refreshing the view of active leases shows nothing; however once I reconcile
and verify then refresh again the leases show. They all have a lease
expiration date of 24 hours from the moment I hit reconcile (our lease length
is 24 hours). They show as type DHCP/BOOTP from the GUI (MMC) and Unspecified
from the command line (netsh). The servers are configured to disallow BOOTP
requests. The Unique ID that appears is far too long to be a MAC address but
other forums suggest this is just a mask... for example a lease for
10.1.100.5 will show as:
31 30 2e 31 2e 31 30 30 2e 35 00
31 = ascii 1
30 = ascii 0
2e = ascii .
31 = ascii 1
2e = ascii .
31 = ascii 1
30 = ascii 0
30 = ascii 0
and so on...

There is a RRAS server in the environment but IPs gathered by RAS show
specifically as just that, have another icon associated with them in the MMC,
show the RAS server name, and never outnumber 10.

Another avenue I'm attempting to explore is Windows Automated Deployment
Services 1.1. When an ADS client tries to PXE boot it sends a broadcast
request. As I understood it, the ADS server picks this up and either assigns
the client a DHCP address or relays its request to a DHCP server. My ADS
server is not configured as a DHCP server OR a DHCP relay agent however, yet
my PXE clients (assuming there are available leases at the time) never fail
to acquire an address. (Perhaps the PXE clients make their own DHCP requests?)

There are no restrictions for DHCP or PXE packets on our switches -- all are
allowed through on a FIFO basis. I also see non-pingable leases being
generated in this scope while no servers on the subnet are attempting PXE
boots.

DHCP logs are not helping either. As an example, I removed all
unidentifiable leases from a scope and found the next morning that 8 new
leases were there (only by following the refresh method listed above.) I
queried all of the logs for the prior week and found not a single reference
to any of the IPs leased out except for my deletion!

I understand reconciling involves comparing the database to information in
the registry. Perhaps if I knew where in the registry this lease info was
stored I could look for clues there. I am leery of deleting and recreating
scopes and read in another post that this failed to resolve an identical
issue for another user.

Any ideas?

 

Oops, to clarify on resolving the Unique IDs for these devices (from Google
Group posting):

"For IP Address 192.168.16.141 the Client Name is also "192.168.16.141" and
the Unique ID is "3139322e3136382e31362..."


Hex 31 = Decimal 49; ASCII 49 = "1"
Hex 39 = Decimal 57; ASCII 57 = "9"
Hex 32 = Decimal 50; ASCII 50 = "2"
Hex 2E = Decimal 46; ASCII 46 = "."
Hex 31 = Decimal 49; ASCII 49 = "1"
Hex 36 = Decimal 54; ASCII 54 = "6"
Hex 38 = Decimal 56; ASCII 56 = "8"
"

I also want to reiterate that the IPs leased in this manner are not
pinagable and not traceable via our switches. So we also have no MAC address
to track via ARP commands.

 

Thanks for posting this info. As for why it is happening, I am not sure.

Did you opt to have DHCP give out IPv6 addresses? I'm not sure if it
coorelates, but if you were to disable IPv6 on the DHCP scope, does it go
back to non-hex?

Ace

 

I appreciate your help Ace. Our DHCP servers do not hand out IPv6 addresses
so that can be ruled out as a cause.

I don't have much experience with network sniffing. Is there a chance I
could configure wireshark or netmon to watch traffic on one of the DHCP
servers for a string containing the ACK and an IP from the range, then just
wait back until that particular IP is swiped by whatever process is taking
them all?

Do you have any scan filter parameters for one of these programs? Are they
resource intensive? What is the likelihood of gathering useful information
from any particular packet?

Thanks in advance!

 

I haven't thought about that, and Wireshark or Netmon would be a good bet. I
would watch BootP and ports UDP 68and 69 filtering, going to and from the
DHCP server. IIRC, I thought there may be a built-in filter for DHCP on
netmon? Not sure about Wireshark.

Ace