Is it possible to NOT see all addresses handed out by DHCP server?

We are a small k-12 school with about 150 school devices plus personal staff devices. Students are not allowed on the network.

I have filters activated on the windows 2012 r2 standard server and need to approve and enter the mac address of permitted devices to receive an address from the DHCP server.

Today the network was slow and a ping test showed 18% lost packets. I connected to our dd-wrt router and found a few computers using more bandwidth than they should.

On the router I can see the IP and the mac address of the devices. The ip address was on handed out by the DHCP server.

Yet when I went to the server >>DHCP>>Address leases, there were several addresses that I could see on the router but I could not see on the leases for the DHCP server.

I did find them using the mac address on the filter list, so they were approved to receive an address, but I could not specifically see them on the lease list.

I thought perhaps I had a second device handing out addresses, but DHCP function is disabled or not installed on the router and other servers. Therefore I do not believe another device was handing out addresses.

Question:  Is it possible to have an incomplete IP address list in the lease section of DHCP?

Thank you.

Jerry ThompsonNetwork AdminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Soulja53 6F 75 6C 6A 61 Commented:
Can you confirm that those devices didn't statically configure the addresses on them? The lease table in Windows is usually pretty accurate on what addresses it has served.
Jerry ThompsonNetwork AdminAuthor Commented:
Two of the devices were chromebooks and the third was a laptop managed by the Central School District. Neither I nor the
staff member have administrative permissions to change the IP address.
Owen RubinConsultantCommented:
There are free or low cost network scanners that look for all devices on a local network (unless they are totally silent of course.)  I have used this one ( which is free and runs up to Windows 10.  It found all the devices on my network (including a few I thought were disconnected) and it can be run without fully installing.

It might show you items now showing up on your server.

There are other scanners as well if you Google for them.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

nociSoftware EngineerCommented:
On your router you could instal arpwatch  which can warn when new devices are present.....

Now the myth about MAC addresses....  They do NOT provide identity, any Ethernet adapter can be set to ANY MACADDRESS....
MACaddresses can be sniffed from the network if needed. same goed for IP settings.
Also there is no need to use a DHCP server to access a network. If the network is available (i can put in a cable i can also setup a static address, even in the same range as the valid DHCP addresses. Sometime this means some people will get a duplicate and be unable to communicate).

If you need security you need WPA (for wireless in Enterprise mode) and then 802.1x for wired connections.
Jerry ThompsonNetwork AdminAuthor Commented:
I know and use static addresses bypass the DHCP server.  I am counting on my students and staff about being clueless when it comes to creating a static IP.

I am going to run the scanner and will check with the staff member to see if they closed the lid or actually powered off the laptop.

Thank you for your input.  I will update this ticket after a bit more investigation.

nociSoftware EngineerCommented:
A google search will also show this issue being mentioned.
The info is basic network knowledge and is easy to find.

Then again there is MUCH more equipment (unique network interfaces) out in the world then there are available MAC addresses.
The addresses are duplicated already in the factory. Those equipment is sent in several shipments to minimize the chance of the duplicates ever meeting again.   (effectively there is space for 2^24 devices / manufacturer and about 2^20 manufacturers ).

With students  being blocked somewhere that might be takes as "Challenge Accepted"...
Jerry ThompsonNetwork AdminAuthor Commented:
I don't feel like there is a definitive answer. Perhaps I was mistaken in some way. Unexpected things happen often. I will be more observant and perhaps able to more specifically explain what I am seeing.

Thank you for your input.

Owen RubinConsultantCommented:
Curious if all these devices connect via Wifi?

I do note that many newer WiFi routers actually will list static IP addresses as a connection, with their Mac and IP address, even if they did not connect and request a DHCP address.  My Linksys router shows me all connections, even if they do not get a DHCP address.

And unless your students are incredibly good hackers and know how to keep their machine ultra quiet on the network. the scanner should find them.

Network scans are usually based on ARP-packet-sniffing. This protocol is used to map IP- and MAC-addresses. Every IP-communicating device has to send such requests to know where the other devices can be found. Each machine has to send these requests at least once.  It should not be possible to interact with any network-device without sending such ARP-requests. Because they are broadcasted, they can be logged.

One can also use netdiscover to look for "hidden" hosts. Here is some discusison of that tool:
nociSoftware EngineerCommented:
@owen: arpwatch (i mentioned before) does just that. inform when new addresses are seen, based on ARP.
at least in a data file, optionaly send a mail.
Owen RubinConsultantCommented:
Seeing as the question was already closed, I assumed mentioning another ARP program was just adding more info.  But thanks for pointing that out.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.