Simpler Navigation coming for Servers and Operating Systems
Coming soon: a much simpler Servers and Operating Systems section of the Community. We will combine many of the older boards, and you won't have to click through so many levels to get at the information you need. If you are looking for an older board and do not find it, check the consolidated boards, as the posts are still there.
Networking
cancel
Showing results for 
Search instead for 
Did you mean: 

Weird MAC addresses in DHCP Server Logs

Nick Cross
Occasional Advisor

Weird MAC addresses in DHCP Server Logs

I keep getting weird MAC addresses showing up in my DHCP Server logs (see below) does anyone know what they are (the first 4 bytes are 'R','A','S',' ') and what kind of service is placing these DHCP requests.

We seem to be getting these from different types of boxes, application servers (DB, etc), Proxies and clients too. The thing is only the clients use DHCP, the servers have static addresses, also none of them are RAS boxes, and our RAS clients use a diffrent range completely.

--snip--
11,03/28/01,16:00:24,Renew,172.16.5.65,AGSHQS0043,5241532070B6D1ED7A50C00102000000
11,03/28/01,16:00:44,Renew,172.16.5.173,AGSHQR0006,52415320F076B0B1D829BF0103000000
--snip--

both these boxes have static IPs. One of them is a proxy the other an application server.

Any ideas anyone???

Thanks in advance.

Nick.
Contrary to popular belief, Unix is user friendly. It just happens to be very selective about who it decides to make friends with.
4 REPLIES
Jamie Hughes
Honored Contributor

Re: Weird MAC addresses in DHCP Server Logs

Hello Nick,

Do you have any hubs or switches out on your network that might be configured to use BOOTP? Did this just suddenly start happening or have these entries always been there? What kind of clients are on your network (9x, NT, etc)?

What does the weird MAC address look like? Do you have any errors in the System event log? If so, please post the event IDs here. If those are the MAC addresses you are seeing that you posted in your original message, there is definitely something wrong out on the network somewhere because it is too long. The MAC address should be seen as 22 digits. If you convert the first four hex numbers (8 digits) to decimal, it should reflect the subnet address that the DHCP packet originated on. The last twelve digits are the MAC address. You might be able to track down where this is coming from by analyzing the MAC address in that fashion.

If the MAC address you're seeing is longer than 22 digits, I would be looking out on the network for a switch or hub that is sending BOOTP requests, which can confuse the DHCP server. Please reply and let us know what you find out.

Best regards,
Jamie Hughes
Nick Cross
Occasional Advisor

Re: Weird MAC addresses in DHCP Server Logs

Sorry, I didn't make myself clear, the MAC address aren't standard MAC addresses, I know that. But I wondered if anyone had come across something similar inside their DHCP Server Log files.

To re-iterate...

From my DHCP Server Logs:

-> 11,03/29/01,00:17:37,Renew,172.16.5.121,AGS-DTC1552,0000398F7D0D

A renewal with a standard MAC address (0000398F7D0D)


-> 11,03/29/01,00:17:48,Renew,172.16.5.118,AGS-DTC1631,524153204017B3855FA8C00102000000

A renewal with the 'weird' MAC address (524153204017B3855FA8C00102000000) and the first four bytes correspond to 'RAS '

cheers, Nick.
Contrary to popular belief, Unix is user friendly. It just happens to be very selective about who it decides to make friends with.
Roger Faucher
Honored Contributor

Re: Weird MAC addresses in DHCP Server Logs

Hi:

This website http://www.teleport.com/~jrpetro/FTP_Utilities/tcpnetview.htm
has a piece of software called TCP Netview (freeware) that you may find useful. It should discover the IP and MAC addresses of all network components. Good luck!
Make a great day!

Roger
Dan Robinson
Occasional Advisor

Re: Weird MAC addresses in DHCP Server Logs