Solved

BAD_ADDRESS in DHCP Leases W2K3 R2 Server - Wireshark

Posted on 2014-03-18
4
696 Views
Last Modified: 2014-03-19
Hi,
We are still seeing this issue and are baffled as to how to determine where the issue is actually coming from.

Does anyone know where to set the filters in Wireshark to find where the issue is coming from? The thought was to set the filters in wireshark and clear out the BAD_ADDRESS from the DHCP lease on the DHCP server and do a /release , /renew and determine what is going on.

My skill set with wireshark is unfortunately very limited and would appreciate some expert advise on this.

Thanks in advance for taking the time to respond back, it is greatly appreciated.

ElliTech
0
Comment
Question by:ellitech
4 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 39939191
Have you turned DHCP logging on?  This should tell you what the clients are asking for.

Try turning conflict detection on to see if that helps.
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 400 total points
ID: 39939514
Sorry if any of this is obvious, but IMO wireshark probably isn't going to tell you much.

Normally BAD_ADDRESS is because you have conflict detection turned on (good) and it has found an address in it;'s pool already in use.

Would normally be:

Statically assigned address
Second DHCP server with same scope
Router plugged in somwhere with DHCP turned on
Something like a WDS server

If this is multi-subnet network need to look at DHCP helpers etc. on switches, but if this is a flat, one subnet network then your easiest bet IMO would be, look at one of the bad_address entries.  if it pings then find out what machine it is from DNS, connecting with \\x.x.x.x\c$ etc.  then use ipconfig /all you can see the DHCP server that issued that address.... if it isn't your official one there's your culprit.

With wireshark you could look at the broadcast packets to/from the DHCP server and may see other broadcasts using promiscuous mode but on a switched network unless you have a port setup for sniffing all traffic won't see the important bits.

Steve
0
 
LVL 16

Assisted Solution

by:vivigatt
vivigatt earned 100 total points
ID: 39939762
to isolate DHCP traffic in wireshark, filter on UDP ports 67 and 68.
0
 

Author Closing Comment

by:ellitech
ID: 39940570
We found a Enterasys XSR-1700 router that was acting funny and responding to requests from a different subnet, rebooted the router and the problem went away. Strange as that router has been rock solid for quite sometime. Probably a good idea to reboot these routers every 6 months or so.

Thanks for all of your help
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

A Cisco router can be configured as a DHCP Server. There are advantages and disadvantages in making your Cisco router work as DHCP Server. Almost all the features for windows DHCP can be configured on Cisco-based DHCP server. Some of the features me…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now