Solved

BAD_ADDRESS in DHCP Leases W2K3 R2 Server - Wireshark

Posted on 2014-03-18
4
703 Views
Last Modified: 2014-03-19
Hi,
We are still seeing this issue and are baffled as to how to determine where the issue is actually coming from.

Does anyone know where to set the filters in Wireshark to find where the issue is coming from? The thought was to set the filters in wireshark and clear out the BAD_ADDRESS from the DHCP lease on the DHCP server and do a /release , /renew and determine what is going on.

My skill set with wireshark is unfortunately very limited and would appreciate some expert advise on this.

Thanks in advance for taking the time to respond back, it is greatly appreciated.

ElliTech
0
Comment
Question by:ellitech
4 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39939191
Have you turned DHCP logging on?  This should tell you what the clients are asking for.

Try turning conflict detection on to see if that helps.
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 400 total points
ID: 39939514
Sorry if any of this is obvious, but IMO wireshark probably isn't going to tell you much.

Normally BAD_ADDRESS is because you have conflict detection turned on (good) and it has found an address in it;'s pool already in use.

Would normally be:

Statically assigned address
Second DHCP server with same scope
Router plugged in somwhere with DHCP turned on
Something like a WDS server

If this is multi-subnet network need to look at DHCP helpers etc. on switches, but if this is a flat, one subnet network then your easiest bet IMO would be, look at one of the bad_address entries.  if it pings then find out what machine it is from DNS, connecting with \\x.x.x.x\c$ etc.  then use ipconfig /all you can see the DHCP server that issued that address.... if it isn't your official one there's your culprit.

With wireshark you could look at the broadcast packets to/from the DHCP server and may see other broadcasts using promiscuous mode but on a switched network unless you have a port setup for sniffing all traffic won't see the important bits.

Steve
0
 
LVL 16

Assisted Solution

by:vivigatt
vivigatt earned 100 total points
ID: 39939762
to isolate DHCP traffic in wireshark, filter on UDP ports 67 and 68.
0
 

Author Closing Comment

by:ellitech
ID: 39940570
We found a Enterasys XSR-1700 router that was acting funny and responding to requests from a different subnet, rebooted the router and the problem went away. Strange as that router has been rock solid for quite sometime. Probably a good idea to reboot these routers every 6 months or so.

Thanks for all of your help
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
how to configure multiple subnet in linux ddns server 2 83
DHCP server history or log ? 4 105
VLANs, Cisco Switch, and Ruckus Wireless AP 2 109
Windows IPv6 DHCP server 8 59
Ever wondered why you had to use DHCP options (dhcp opt 60, 66 or 67) in order to use PXE? Well, you don't!
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.

805 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question