Solved

BAD_ADDRESS in DHCP Leases W2K3 R2 Server - Wireshark

Posted on 2014-03-18
4
715 Views
Last Modified: 2014-03-19
Hi,
We are still seeing this issue and are baffled as to how to determine where the issue is actually coming from.

Does anyone know where to set the filters in Wireshark to find where the issue is coming from? The thought was to set the filters in wireshark and clear out the BAD_ADDRESS from the DHCP lease on the DHCP server and do a /release , /renew and determine what is going on.

My skill set with wireshark is unfortunately very limited and would appreciate some expert advise on this.

Thanks in advance for taking the time to respond back, it is greatly appreciated.

ElliTech
0
Comment
Question by:ellitech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39939191
Have you turned DHCP logging on?  This should tell you what the clients are asking for.

Try turning conflict detection on to see if that helps.
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 400 total points
ID: 39939514
Sorry if any of this is obvious, but IMO wireshark probably isn't going to tell you much.

Normally BAD_ADDRESS is because you have conflict detection turned on (good) and it has found an address in it;'s pool already in use.

Would normally be:

Statically assigned address
Second DHCP server with same scope
Router plugged in somwhere with DHCP turned on
Something like a WDS server

If this is multi-subnet network need to look at DHCP helpers etc. on switches, but if this is a flat, one subnet network then your easiest bet IMO would be, look at one of the bad_address entries.  if it pings then find out what machine it is from DNS, connecting with \\x.x.x.x\c$ etc.  then use ipconfig /all you can see the DHCP server that issued that address.... if it isn't your official one there's your culprit.

With wireshark you could look at the broadcast packets to/from the DHCP server and may see other broadcasts using promiscuous mode but on a switched network unless you have a port setup for sniffing all traffic won't see the important bits.

Steve
0
 
LVL 16

Assisted Solution

by:vivigatt
vivigatt earned 100 total points
ID: 39939762
to isolate DHCP traffic in wireshark, filter on UDP ports 67 and 68.
0
 

Author Closing Comment

by:ellitech
ID: 39940570
We found a Enterasys XSR-1700 router that was acting funny and responding to requests from a different subnet, rebooted the router and the problem went away. Strange as that router has been rock solid for quite sometime. Probably a good idea to reboot these routers every 6 months or so.

Thanks for all of your help
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Strange addresses from DHCP 8 107
VLANs, Cisco Switch, and Ruckus Wireless AP 2 143
Packet Tracer Router to Router 10 93
Setting up NAT translation for RDP 6 68
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question