DHCP request from nowhere

Discussion in 'Server Networking' started by Normand, May 12, 2009.

  1. Normand

    Normand Guest

    Hi,
    In our DHCP server (French Windows 2k3 R2), we have records showing type
    DHCP/BOOTP with a unique ID 31302e302e39302e31353xx.
    Does someone know what could create entries like that ?
    Every 10-15 minutes, a different record is created.
    To be able to see those records, I have to go on my scope, right-click
    Reconcile, Verify, Reconcile and then I can see the record.
    Thanks for your help.
     
    Normand, May 12, 2009
    #1
    1. Advertisements

  2. Hello Normand,

    Any devide which is enabled to use DHCP, switches, printers, computers of
    course, handheld if network ready etc.......

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], May 13, 2009
    #2
    1. Advertisements



  3. Get the MAC address of the device or client, then log into your switch to determine what port it is on.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
    Microsoft Certified Trainer


    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    "Efficiency is doing things right; effectiveness is doing the right things." - Peter F. Drucker
    http://twitter.com/acefekay
     
    Ace Fekay [Microsoft Certified Trainer], May 13, 2009
    #3
  4. Normand

    Normand Guest

    Hi Meinolf,
    But one device can create multiple records in DHCP ?
    The unique ID is supposed to be the MAC address of the device but in my
    case, unique ID is 31302e302e39302e31353100, 31302e302e39302e31353200,
    31302e302e39302e31353300, etc.
    Thanks.
     
    Normand, May 13, 2009
    #4
  5. Normand

    Normand Guest

    Hi Ace,
    How can I find MAC address of that device ? MAC is supposed to be indicated
    under Unique ID but what I have is 31302e302e39302e31353100,
    31302e302e39302e31353200, 31302e302e39302e31353300, etc. for each record.
    Thanks for any more help.


    "Ace Fekay [Microsoft Certified Trainer]" <> a
    écrit dans le message de groupe de discussion :
    ...
     
    Normand, May 13, 2009
    #5
  6. Hello Normand,

    Ping the ip address of that item and then run "arp -a" in a command prompt,
    the list should also show the MAC for the ip address from that device.

    Best regards

    Meinolf Weber


     
    Meinolf Weber [MVP-DS], May 13, 2009
    #6
  7. Normand

    Normand Guest

    I did that and I can't ping the device with that Ip address.
    Always receive a request time out.


     
    Normand, May 13, 2009
    #7

  8. Wow, that is odd. The uniqueID should be 12 characters. You are seeing a 24 bit MAC. Let's break it down.

    For:
    3130 2e30 2e39 302e 3135 3100
    (put into calc as Hex, then changed from Qword to Dword) and got:

    2E 39 30 2E 00

    Do you see that MAC? If not, how about any of the following?

    31 2e 30 31 31
    or
    30 30 39 2e 35 00


    Ace
     
    Ace Fekay [Microsoft Certified Trainer], May 14, 2009
    #8
  9. Normand

    Normand Guest

    Hi Ace,

    Nothing like that in my DHCP records.
    Kind of bizarre thing.


    "Ace Fekay [Microsoft Certified Trainer]" <> a
    écrit dans le message de groupe de discussion :
    ...
     
    Normand, May 14, 2009
    #9
  10. No, not in DHCP records, I mean after breaking it down as I suggested (and that was just a stab at it), to look for that number as a possible MAC in the switche's ARP or MAC table.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], May 16, 2009
    #10
  11. Normand

    yzzazz Guest

    Hi folks,

    We are experiencing the same issue. Several Windows 2003 SP2 DHCP servers
    have scopes that become completely exhausted over time for no clear reason.

    Refreshing the view of active leases shows nothing; however once I reconcile
    and verify then refresh again the leases show. They all have a lease
    expiration date of 24 hours from the moment I hit reconcile (our lease length
    is 24 hours). They show as type DHCP/BOOTP from the GUI (MMC) and Unspecified
    from the command line (netsh). The servers are configured to disallow BOOTP
    requests. The Unique ID that appears is far too long to be a MAC address but
    other forums suggest this is just a mask... for example a lease for
    10.1.100.5 will show as:
    31 30 2e 31 2e 31 30 30 2e 35 00
    31 = ascii 1
    30 = ascii 0
    2e = ascii .
    31 = ascii 1
    2e = ascii .
    31 = ascii 1
    30 = ascii 0
    30 = ascii 0
    and so on...

    There is a RRAS server in the environment but IPs gathered by RAS show
    specifically as just that, have another icon associated with them in the MMC,
    show the RAS server name, and never outnumber 10.

    Another avenue I'm attempting to explore is Windows Automated Deployment
    Services 1.1. When an ADS client tries to PXE boot it sends a broadcast
    request. As I understood it, the ADS server picks this up and either assigns
    the client a DHCP address or relays its request to a DHCP server. My ADS
    server is not configured as a DHCP server OR a DHCP relay agent however, yet
    my PXE clients (assuming there are available leases at the time) never fail
    to acquire an address. (Perhaps the PXE clients make their own DHCP requests?)

    There are no restrictions for DHCP or PXE packets on our switches -- all are
    allowed through on a FIFO basis. I also see non-pingable leases being
    generated in this scope while no servers on the subnet are attempting PXE
    boots.

    DHCP logs are not helping either. As an example, I removed all
    unidentifiable leases from a scope and found the next morning that 8 new
    leases were there (only by following the refresh method listed above.) I
    queried all of the logs for the prior week and found not a single reference
    to any of the IPs leased out except for my deletion!

    I understand reconciling involves comparing the database to information in
    the registry. Perhaps if I knew where in the registry this lease info was
    stored I could look for clues there. I am leery of deleting and recreating
    scopes and read in another post that this failed to resolve an identical
    issue for another user.

    Any ideas?
     
    yzzazz, Jun 4, 2009
    #11
  12. Normand

    yzzazz Guest

    Oops, to clarify on resolving the Unique IDs for these devices (from Google
    Group posting):

    "For IP Address 192.168.16.141 the Client Name is also "192.168.16.141" and
    the Unique ID is "3139322e3136382e31362..."


    Hex 31 = Decimal 49; ASCII 49 = "1"
    Hex 39 = Decimal 57; ASCII 57 = "9"
    Hex 32 = Decimal 50; ASCII 50 = "2"
    Hex 2E = Decimal 46; ASCII 46 = "."
    Hex 31 = Decimal 49; ASCII 49 = "1"
    Hex 36 = Decimal 54; ASCII 54 = "6"
    Hex 38 = Decimal 56; ASCII 56 = "8"
    "

    I also want to reiterate that the IPs leased in this manner are not
    pinagable and not traceable via our switches. So we also have no MAC address
    to track via ARP commands.
     
    yzzazz, Jun 4, 2009
    #12
  13. Thanks for posting this info. As for why it is happening, I am not sure.

    Did you opt to have DHCP give out IPv6 addresses? I'm not sure if it
    coorelates, but if you were to disable IPv6 on the DHCP scope, does it go
    back to non-hex?

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jun 5, 2009
    #13
  14. Normand

    yzzazz Guest

    I appreciate your help Ace. Our DHCP servers do not hand out IPv6 addresses
    so that can be ruled out as a cause.

    I don't have much experience with network sniffing. Is there a chance I
    could configure wireshark or netmon to watch traffic on one of the DHCP
    servers for a string containing the ACK and an IP from the range, then just
    wait back until that particular IP is swiped by whatever process is taking
    them all?

    Do you have any scan filter parameters for one of these programs? Are they
    resource intensive? What is the likelihood of gathering useful information
    from any particular packet?

    Thanks in advance!
     
    yzzazz, Jun 5, 2009
    #14
  15. I haven't thought about that, and Wireshark or Netmon would be a good bet. I
    would watch BootP and ports UDP 68and 69 filtering, going to and from the
    DHCP server. IIRC, I thought there may be a built-in filter for DHCP on
    netmon? Not sure about Wireshark.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Jun 5, 2009
    #15
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.