Is that even possible to see a device showing active on the network but is powered off?

Jerry Thompson
Jerry Thompson used Ask the Experts™
on
We are a small k-12 school with about 150 school devices plus personal staff devices. Students are not allowed on the network.

I have filters activated on the windows 2012 r2 standard server and need to approve and enter the mac address of permitted devices to receive an address from the DHCP server.

I connected to our dd-wrt router and found a few computers using more bandwidth than they should.

One of the computers using too many resources belonged to one of the staff members. I went to see what that person was doing and I found the laptop powered off and plugged into a charging cart. The teacher stated that the laptop had been off for 2-3 hours, yet the dd-wrt >> Status >> LAN >> Active Clients showed the device had over 500 connections to the internet.

Question:  Is that even possible to see a device showing active on the network but is powered off?  My expectation is NO unless the computer was not truly off.

And I do believe it was powered off. I stood there when she turned it on and booted it up.  I double checked the mac address and it did match. The next time I looked at the active devices, the laptop was no longer on the list.

Thank you.

Jerlo
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
SouljaSr.Net.Eng
Top Expert 2011

Commented:
Is there any type of Wake On Lan feature enabled on the device. Nic usually stays on when that feature is enabled.
atlas_shudderedSr. Network Engineer

Commented:
If you are in a school, there is the possibility that one of your more adventurous students has figured out how to MAC spoof, which will get them past your mac filter on the server.

You could potentially confirm by tracing the MAC through the network.

Are you running wireless or hardwired into switches?

If wireless, is the MAC you are seeing identified to the NIC or wNIC?
atlas_shudderedSr. Network Engineer

Commented:
Another thought.  Filtering your DHCP only restricts what devices are able to grab an address from your server.  It doesn't stop someone configuring an IP address manually and connecting to your network.  I read your other post and that could be a possible cause of the behavior you are seeing as well.
Commented:
Some devices, even when "off" are not truly off. As has been said, if wake on LAN is on the device is watching the net all the time. Or if the device looks at the network even when not "active", yes, it could be on-line and doing things. Off is not really off on many devices today.  

That particular device you mention may have been "sleeping" and depending on the computer, may be downloading updates to software or Windows. Although, that is a LARGE amount of connections.

Amazon Echo's, most set top boxes, home AV amps, and other devices will appear "off" by turning off the display and leds, but stay on-line in their off state.

But as also been said, I am inclined to believe that someone may have cloned the MAC address to get on the net, and used the time of the "real" machine being off to use the network. That many connections almost sounds like a torrent running!
Jerry ThompsonNetwork Admin

Author

Commented:
Thank you for your input.  It was helpful.  I still never really discovered if the device was a sleep or truely off.

Thanks again.

jerlo

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial