Strange DHCP entries

[andypitts]

Hi all

 

I'm seeing quite a few entries in our DHCP address leases that I don't recognise and which don't follow the usual standards. One example is:

 

IP: 172.16.1.147

Name: 172.16.1.147 (I would expect to see the device name here)

Type: DHCP/BOOTP

Unique ID: 3137322e31362e312e31343700 (normally this would be a mac address)

 

I have about 30 of these types of entries and there is no ping response any any that I've tried. Also, our DHCP server is reporting that it's nearly out of address leases so if I could reclaim these strange entries that would be ideal.

 

Does anyone know what these entries are for?

 

Thanks in advance

[cpjitservices]

has someone plugged something in somewhere into your network ? those are all private IP's so my guess is somewhere someone may have plugged a router in on your network maybe ?

[jimmy_2k]

did anyone get to the bottom of this one? i've got the same issue

[dmj]

The clients don't need to return a mac address, it just needs to be unique. (see https://datatracker.ietf.org/doc/html/rfc2131)

Which means some clients are configured not to return mac addresses as the unique ID.

Are users connecting in via a VPN? I suspect this would cause a different unique ID to be present as the VPN would just forward DHCP requests and not pass on the mac address.

[psydii]

Is that Unique ID a verbatim copy of what you are seeing or merely a representation...? I ask because it begins with the 313373, which is a very suspicious string (it's a variant of 3l33t3).

 

(oops OP was from 2011 - one hell of a thread necro!)

Edited December 12, 2023 by psydii

[Chris_Cook]

I've seen HP switches do this. V1910 and V1920 models especially.

[andypitts]

did anyone get to the bottom of this one? i've got the same issue

 

No they are still there. Let me know if you figure it out.

[Mako]

If you convert 3137322e31362e312e31343700 to Text with ASCII, it comes back with 172.16.1.147 which is the IP address it was assigned. The device is sending back its assigned IP address as hex in the packet.

 

I'm not an expert in this field but I did some Googling (starting a search '3137322 + DHCP' got some interesting results) and went down the road of it being something to do with BOOTP and/or the device is sending back corrupt packets. This sounds about right as in the OP, the 'type' is 'DHCP/BOOTP', rather than just DHCP. It could also be a rogue device. If you can acquire the MAC address from your switch(es) ARP table you might be able to narrow down where it is.

 

I also went on a route of this being something to do with access points, so that's also a possibility.