Solved

BAD_ADDRESS in DHCP Leases W2K3 R2 Server - Wireshark

Posted on 2014-03-18
4
718 Views
Last Modified: 2014-03-19
Hi,
We are still seeing this issue and are baffled as to how to determine where the issue is actually coming from.

Does anyone know where to set the filters in Wireshark to find where the issue is coming from? The thought was to set the filters in wireshark and clear out the BAD_ADDRESS from the DHCP lease on the DHCP server and do a /release , /renew and determine what is going on.

My skill set with wireshark is unfortunately very limited and would appreciate some expert advise on this.

Thanks in advance for taking the time to respond back, it is greatly appreciated.

ElliTech
0
Comment
Question by:ellitech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39939191
Have you turned DHCP logging on?  This should tell you what the clients are asking for.

Try turning conflict detection on to see if that helps.
0
 
LVL 43

Accepted Solution

by:
Steve Knight earned 400 total points
ID: 39939514
Sorry if any of this is obvious, but IMO wireshark probably isn't going to tell you much.

Normally BAD_ADDRESS is because you have conflict detection turned on (good) and it has found an address in it;'s pool already in use.

Would normally be:

Statically assigned address
Second DHCP server with same scope
Router plugged in somwhere with DHCP turned on
Something like a WDS server

If this is multi-subnet network need to look at DHCP helpers etc. on switches, but if this is a flat, one subnet network then your easiest bet IMO would be, look at one of the bad_address entries.  if it pings then find out what machine it is from DNS, connecting with \\x.x.x.x\c$ etc.  then use ipconfig /all you can see the DHCP server that issued that address.... if it isn't your official one there's your culprit.

With wireshark you could look at the broadcast packets to/from the DHCP server and may see other broadcasts using promiscuous mode but on a switched network unless you have a port setup for sniffing all traffic won't see the important bits.

Steve
0
 
LVL 16

Assisted Solution

by:vivigatt
vivigatt earned 100 total points
ID: 39939762
to isolate DHCP traffic in wireshark, filter on UDP ports 67 and 68.
0
 

Author Closing Comment

by:ellitech
ID: 39940570
We found a Enterasys XSR-1700 router that was acting funny and responding to requests from a different subnet, rebooted the router and the problem went away. Strange as that router has been rock solid for quite sometime. Probably a good idea to reboot these routers every 6 months or so.

Thanks for all of your help
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question