Unknown Entries in DHCP List

[autumnwalker]

I was just looking at my DHCP list in the control panel and recognize all but two entries - h103 and h104.mydomain.com. Both are currently inactive and both are from different MAC addresses.

I know that all of my machines have NETBIOS names set - it appears as if these two don't. Any ideas on where they might be coming from? Is this something that Amahi does?

My entire network is behind a router with the firewall enabled and the only port opened is the one for VPN to Amahi. I did not notice any odd entries in my router's DHCP log prior to switching over to the Amahi server.

[radioz]

You might want to look through /var/log/messages and look for DHCPACK messages. These will show IP addresses assigned to hostnames and MAC addresses of the machines that connected to your network.

You should be able to sort out which machines have accessed your network. I think that the hxxx.mydomain.com names are just assigned sequentially by the hda to DHCP requests, so its not easy to match up the hxxx names to IP or MAC addresses.

[autumnwalker]

You might want to look through /var/log/messages and look for DHCPACK messages. These will show IP addresses assigned to hostnames and MAC addresses of the machines that connected to your network.

You should be able to sort out which machines have accessed your network. I think that the hxxx.mydomain.com names are just assigned sequentially by the hda to DHCP requests, so its not easy to match up the hxxx names to IP or MAC addresses.

Thanks for your reply!

From the HDA control panel I can see the IP and MAC address of the machines that were assigned hxxx names. I don't recognize them as being anything of mine.

When a device connects via VPN would it be assigned one of those names instead of the usual netbios name? I'm concerned now that someone is inside my network

[radioz]

Hmm, that is wierd.

I have a wireless access point in my network (secured) and was worried about hackers when I saw strange MAC addresses in my DHCPACK messages. I wrote a script to parse the log files and display information about the machines using my network. It is not very clever, but it satisfied me that no one has been using my network without my permission.

Perhaps you might find it useful. Here is the code:

Code: Select all

#!/usr/bin/python # # dhcp-info # # Digest DHCP information from logs and produce reports. # Usage: # dhcp-info <filenames> # # where: <filenames> is a list of DHCP log files (/var/log/messages* for Fedora) # # Motivation: # Curiosity about whether there had been any attempts to log in to my network by # unknown hosts. # # Keith Grant # 1/9/2011 # import os import datetime as dt import time import sys class DHCPInfo : ''' Container class for DHCP information.''' def __init__ (self, files) : self.data = [] self.hosts = {} # Dict of hostname : [mac list] self.macs = {} # Dict of mac : [hostname list] self.ips = {} # Extract data from the log files for f in files : print f self._parse(f) # Sort the data chronologically self.data = sorted(self.data, key=lambda time: time[0]) def _parseDHCPAck(self, line) : ''' Parse a single log entry for DHCPACK. There seems to be two different forms: Jan 9 17:20:30 localhost dhcpd: DHCPACK on 192.168.1.102 to aa:bb:cc:dd:ee:ff (voldemort) via eth0 Jan 9 10:36:48 localhost dhcpd: DHCPACK to 192.168.1.154 (gg:hh:jj:kk:ll:mm) via eth0 In the first case, the hostname is in (). In the second, only the MAC address is in parenthesis. ''' fields = line.split() # Get the date/time year = time.localtime().tm_year t = dt.datetime.strptime(fields[0] + ' ' + fields[1] + ' ' + fields[2],'%b %d %H:%M:%S') t = t.replace(year) # Assigned IP address ip = fields[7] if len(fields) == 13 : # Hostname present mac = fields[9] host = fields[10][1:-1] # strip off parens elif len(fields) == 11 : # No hostname present mac = fields[8][1:-1] # strip off the parens host = '' else : raise Exception('Unusual DHCPACK log entry: "%s"' % line) self.data.append((t, ip, mac, host, line.strip())) # Add the host and mac information if mac not in self.macs.keys() : # Newly seen mac address self.macs[mac] = [host] else : if host not in self.macs[mac] : # New hostname for this mac address! self.macs[mac].append(host) if host not in self.hosts.keys() : # New hostname self.hosts[host] = [mac] else : if mac not in self.hosts[host] : # New mac address for this host! (not unusual for wired/wireless machines) self.hosts[host].append(mac) if ip not in self.ips.keys() : # New ip address self.ips[ip] = [host] else : if host not in self.ips[ip] : # New hostname for this IP address (not unusual for dual-boot machines) self.ips[ip].append(host) def _parse(self, filepath) : if not os.path.exists(filepath) : raise Exception('File "%s" not found' % filepath) with open(filepath, 'r') as f : lines = f.readlines() for line in lines : if line.find('DHCPACK') != -1 : self._parseDHCPAck(line) def log(self, host=None, mac=None, raw=None) : for t, ip, m, h, text in self.data : if host : if h == host : print t, ip, m, h elif mac : if m == mac : print t, ip, m, h elif raw : print text else : print t, ip, m, h def mac(self) : print print 'Unique MAC addresses:' macs = self.macs.keys() for m in sorted(macs) : print '%-19s %s' % (m, self.macs[m]) def host(self) : print print 'Unique Hostnames:' hosts = self.hosts.keys() for h in sorted(hosts) : if h : print '%-25s %s' % (h, self.hosts[h]) def ip(self) : print print 'IP Addresses:' ips = self.ips.keys() for i in sorted(ips) : print '%-19s %s' % (i, self.ips[i]) pass def checkUnknowns(self) : ''' Display any unknown mac addresses''' print print 'Checking for unknown mac addresses:' found = False nullhosts = self.hosts[''] for h in nullhosts : if h not in self.macs.keys() : print 'Unknown MAC address! %s' % h found = True print 'Done.' if __name__ == '__main__' : def usage() : print print "Usage:" print " dhcp-info <message file> [<message file>]*" print " where <message file> is typically '/var/log/messages'." print args = sys.argv if len(args) < 2 : usage() sys.exit(1) d = DHCPInfo(args[1:]) #d.log() d.host() d.mac() d.ip() d.checkUnknowns()

Copy the code to a text file on your hda called 'dhcp-info' and make it executable (chmod +x dhcp-info).

To run the script, type: 'dhcp-info /var/log/messages*'

When you run it, it produces three tables.
1. It displays a list of all the hostnames it has seen along with their MAC addresses. If you have a laptop with both wired and wireless interfaces, it will show up with two MAC addresses.

2. It displays a list of all of the unique MAC addresses it has seen, along with the host names those machines have used. I have a machine that dual boots Ubuntu and Windows, so it shows up twice.

3. It displays a list of all of the IP addresses it has seen and the hostnames that have used those addresses.

It is a pretty crude script, but it helped me sort out what I was seeing on my network. I hope it helps.

[autumnwalker]

so I think that one of them was my iPhone - for some reason Amahi loses the NETBIOS names of machines that have been offline for awhile... when I connected my iPhone h104 changed to iPhone.mydomain.com.

Is this a known thing?

[rbmattis]

I was baffled by this too. For me h101 was my samsung TV and h102 was my laptop...connected via wifi rather than GigE

[bigfoot65]

Is part of the code missing? I tried this and received errors. It would not work

[radioz]

Is part of the code missing? I tried this and received errors. It would not work

If you are referring to my script, I just realized that I wrote it for Amahi 5.6. I dont have 6 installed, so I have not tested it on the latest release.

[cpg]

Hey everybody ... installing apps, adding aliases or webapps will reload dhcp and/or dns and, sadly, the dhcp server, when reloaded, will lose the dynamically assigned names it had assigned.

it may be possible to reload with new settings and still preserve the old ones (not too sure).

because of the nature of DHCP - until a new lease is due for renewal, the server does not really know if it's valid after restarting/reload or not.