Is it possible to NOT see all addresses handed out by DHCP server?

Jerry Thompson
Jerry Thompson used Ask the Experts™
on
We are a small k-12 school with about 150 school devices plus personal staff devices. Students are not allowed on the network.

I have filters activated on the windows 2012 r2 standard server and need to approve and enter the mac address of permitted devices to receive an address from the DHCP server.

Today the network was slow and a ping test showed 18% lost packets. I connected to our dd-wrt router and found a few computers using more bandwidth than they should.

On the router I can see the IP and the mac address of the devices. The ip address was on handed out by the DHCP server.

Yet when I went to the server >>DHCP>>Address leases, there were several addresses that I could see on the router but I could not see on the leases for the DHCP server.

I did find them using the mac address on the filter list, so they were approved to receive an address, but I could not specifically see them on the lease list.

I thought perhaps I had a second device handing out addresses, but DHCP function is disabled or not installed on the router and other servers. Therefore I do not believe another device was handing out addresses.

Question:  Is it possible to have an incomplete IP address list in the lease section of DHCP?

Thank you.

Jerlo
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Can you confirm that those devices didn't statically configure the addresses on them? The lease table in Windows is usually pretty accurate on what addresses it has served.
Jerry ThompsonNetwork Admin

Author

Commented:
Two of the devices were chromebooks and the third was a laptop managed by the Central School District. Neither I nor the
staff member have administrative permissions to change the IP address.
Commented:
There are free or low cost network scanners that look for all devices on a local network (unless they are totally silent of course.)  I have used this one (https://www.advanced-ip-scanner.com/) which is free and runs up to Windows 10.  It found all the devices on my network (including a few I thought were disconnected) and it can be run without fully installing.

It might show you items now showing up on your server.

There are other scanners as well if you Google for them.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

nociSoftware Engineer
Distinguished Expert 2018

Commented:
On your router you could instal arpwatch  which can warn when new devices are present.....

Now the myth about MAC addresses....  They do NOT provide identity, any Ethernet adapter can be set to ANY MACADDRESS....
MACaddresses can be sniffed from the network if needed. same goed for IP settings.
Also there is no need to use a DHCP server to access a network. If the network is available (i can put in a cable i can also setup a static address, even in the same range as the valid DHCP addresses. Sometime this means some people will get a duplicate and be unable to communicate).

If you need security you need WPA (for wireless in Enterprise mode) and then 802.1x for wired connections.
Jerry ThompsonNetwork Admin

Author

Commented:
I know and use static addresses bypass the DHCP server.  I am counting on my students and staff about being clueless when it comes to creating a static IP.

I am going to run the scanner and will check with the staff member to see if they closed the lid or actually powered off the laptop.

Thank you for your input.  I will update this ticket after a bit more investigation.

Jerlo
nociSoftware Engineer
Distinguished Expert 2018

Commented:
A google search will also show this issue being mentioned.
The info is basic network knowledge and is easy to find.

Then again there is MUCH more equipment (unique network interfaces) out in the world then there are available MAC addresses.
The addresses are duplicated already in the factory. Those equipment is sent in several shipments to minimize the chance of the duplicates ever meeting again.   (effectively there is space for 2^24 devices / manufacturer and about 2^20 manufacturers ).

With students  being blocked somewhere that might be takes as "Challenge Accepted"...
Jerry ThompsonNetwork Admin

Author

Commented:
I don't feel like there is a definitive answer. Perhaps I was mistaken in some way. Unexpected things happen often. I will be more observant and perhaps able to more specifically explain what I am seeing.

Thank you for your input.

Jerlo

Commented:
Curious if all these devices connect via Wifi?

I do note that many newer WiFi routers actually will list static IP addresses as a connection, with their Mac and IP address, even if they did not connect and request a DHCP address.  My Linksys router shows me all connections, even if they do not get a DHCP address.

And unless your students are incredibly good hackers and know how to keep their machine ultra quiet on the network. the scanner should find them.

Network scans are usually based on ARP-packet-sniffing. This protocol is used to map IP- and MAC-addresses. Every IP-communicating device has to send such requests to know where the other devices can be found. Each machine has to send these requests at least once.  It should not be possible to interact with any network-device without sending such ARP-requests. Because they are broadcasted, they can be logged.

One can also use netdiscover to look for "hidden" hosts. Here is some discusison of that tool: https://kalilinuxtutorials.com/netdiscover-scan-live-hosts-network/
nociSoftware Engineer
Distinguished Expert 2018

Commented:
@owen: arpwatch (i mentioned before) does just that. inform when new addresses are seen, based on ARP.
at least in a data file, optionaly send a mail.

Commented:
Seeing as the question was already closed, I assumed mentioning another ARP program was just adding more info.  But thanks for pointing that out.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial