Hmm, that is wierd.
I have a wireless access point in my network (secured) and was worried about hackers when I saw strange MAC addresses in my DHCPACK messages. I wrote a script to parse the log files and display information about the machines using my network. It is not very clever, but it satisfied me that no one has been using my network without my permission.
Perhaps you might find it useful. Here is the code:
Code: Select all
#!/usr/bin/python
#
# dhcp-info
#
# Digest DHCP information from logs and produce reports.
# Usage:
# dhcp-info <filenames>
#
# where: <filenames> is a list of DHCP log files (/var/log/messages* for Fedora)
#
# Motivation:
# Curiosity about whether there had been any attempts to log in to my network by
# unknown hosts.
#
# Keith Grant
# 1/9/2011
#
import os
import datetime as dt
import time
import sys
class DHCPInfo :
''' Container class for DHCP information.'''
def __init__ (self, files) :
self.data = []
self.hosts = {} # Dict of hostname : [mac list]
self.macs = {} # Dict of mac : [hostname list]
self.ips = {}
# Extract data from the log files
for f in files :
print f
self._parse(f)
# Sort the data chronologically
self.data = sorted(self.data, key=lambda time: time[0])
def _parseDHCPAck(self, line) :
''' Parse a single log entry for DHCPACK.
There seems to be two different forms:
Jan 9 17:20:30 localhost dhcpd: DHCPACK on 192.168.1.102 to aa:bb:cc:dd:ee:ff (voldemort) via eth0
Jan 9 10:36:48 localhost dhcpd: DHCPACK to 192.168.1.154 (gg:hh:jj:kk:ll:mm) via eth0
In the first case, the hostname is in (). In the second, only the MAC
address is in parenthesis.
'''
fields = line.split()
# Get the date/time
year = time.localtime().tm_year
t = dt.datetime.strptime(fields[0] + ' ' + fields[1] + ' ' + fields[2],'%b %d %H:%M:%S')
t = t.replace(year)
# Assigned IP address
ip = fields[7]
if len(fields) == 13 :
# Hostname present
mac = fields[9]
host = fields[10][1:-1] # strip off parens
elif len(fields) == 11 :
# No hostname present
mac = fields[8][1:-1] # strip off the parens
host = ''
else :
raise Exception('Unusual DHCPACK log entry: "%s"' % line)
self.data.append((t, ip, mac, host, line.strip()))
# Add the host and mac information
if mac not in self.macs.keys() :
# Newly seen mac address
self.macs[mac] = [host]
else :
if host not in self.macs[mac] :
# New hostname for this mac address!
self.macs[mac].append(host)
if host not in self.hosts.keys() :
# New hostname
self.hosts[host] = [mac]
else :
if mac not in self.hosts[host] :
# New mac address for this host! (not unusual for wired/wireless machines)
self.hosts[host].append(mac)
if ip not in self.ips.keys() :
# New ip address
self.ips[ip] = [host]
else :
if host not in self.ips[ip] :
# New hostname for this IP address (not unusual for dual-boot machines)
self.ips[ip].append(host)
def _parse(self, filepath) :
if not os.path.exists(filepath) :
raise Exception('File "%s" not found' % filepath)
with open(filepath, 'r') as f :
lines = f.readlines()
for line in lines :
if line.find('DHCPACK') != -1 :
self._parseDHCPAck(line)
def log(self, host=None, mac=None, raw=None) :
for t, ip, m, h, text in self.data :
if host :
if h == host :
print t, ip, m, h
elif mac :
if m == mac :
print t, ip, m, h
elif raw :
print text
else :
print t, ip, m, h
def mac(self) :
print
print 'Unique MAC addresses:'
macs = self.macs.keys()
for m in sorted(macs) :
print '%-19s %s' % (m, self.macs[m])
def host(self) :
print
print 'Unique Hostnames:'
hosts = self.hosts.keys()
for h in sorted(hosts) :
if h :
print '%-25s %s' % (h, self.hosts[h])
def ip(self) :
print
print 'IP Addresses:'
ips = self.ips.keys()
for i in sorted(ips) :
print '%-19s %s' % (i, self.ips[i])
pass
def checkUnknowns(self) :
''' Display any unknown mac addresses'''
print
print 'Checking for unknown mac addresses:'
found = False
nullhosts = self.hosts['']
for h in nullhosts :
if h not in self.macs.keys() :
print 'Unknown MAC address! %s' % h
found = True
print 'Done.'
if __name__ == '__main__' :
def usage() :
print
print "Usage:"
print " dhcp-info <message file> [<message file>]*"
print " where <message file> is typically '/var/log/messages'."
print
args = sys.argv
if len(args) < 2 :
usage()
sys.exit(1)
d = DHCPInfo(args[1:])
#d.log()
d.host()
d.mac()
d.ip()
d.checkUnknowns()
Copy the code to a text file on your hda called 'dhcp-info' and make it executable (chmod +x dhcp-info).
To run the script, type: 'dhcp-info /var/log/messages*'
When you run it, it produces three tables.
1. It displays a list of all the hostnames it has seen along with their MAC addresses. If you have a laptop with both wired and wireless interfaces, it will show up with two MAC addresses.
2. It displays a list of all of the unique MAC addresses it has seen, along with the host names those machines have used. I have a machine that dual boots Ubuntu and Windows, so it shows up twice.
3. It displays a list of all of the IP addresses it has seen and the hostnames that have used those addresses.
It is a pretty crude script, but it helped me sort out what I was seeing on my network. I hope it helps.
