Need support in finding spaming DHCPDISCOVER device

[TheUntouchable]

Hi guys!

I just checked my logs after updating to a new version of scribe and saw a lot of entries like that (every 5 minutes):

Feb 6 21:45:57 RT-AC88U-DDF0 dnsmasq-dhcp[385]: DHCPDISCOVER(br0) 00:52:e0:9d:a5:1d
Feb 6 21:45:57 RT-AC88U-DDF0 dnsmasq-dhcp[385]: DHCPOFFER(br0) 192.168.1.80 00:52:e0:9d:a5:1d
Feb 6 21:45:57 RT-AC88U-DDF0 dnsmasq-dhcp[385]: DHCPDISCOVER(br0) 00:52:e0:9d:a5:1d
Feb 6 21:45:57 RT-AC88U-DDF0 dnsmasq-dhcp[385]: DHCPOFFER(br0) 192.168.1.80 00:52:e0:9d:a5:1d
Feb 6 21:45:57 RT-AC88U-DDF0 dnsmasq-dhcp[385]: DHCPDISCOVER(br0) 00:52:e0:9d:a5:1d
Feb 6 21:45:57 RT-AC88U-DDF0 dnsmasq-dhcp[385]: DHCPOFFER(br0) 192.168.1.80 00:52:e0:9d:a5:1d
Feb 6 21:45:57 RT-AC88U-DDF0 dnsmasq-dhcp[385]: DHCPDISCOVER(br0) 00:52:e0:9d:a5:1d
Feb 6 21:45:57 RT-AC88U-DDF0 dnsmasq-dhcp[385]: DHCPOFFER(br0) 192.168.1.80 00:52:e0:9d:a5:1d
Feb 6 21:45:58 RT-AC88U-DDF0 dnsmasq-dhcp[385]: DHCPDISCOVER(br0) 00:52:e0:9d:a5:1d
Feb 6 21:45:58 RT-AC88U-DDF0 dnsmasq-dhcp[385]: DHCPOFFER(br0) 192.168.1.80 00:52:e0:9d:a5:1d

I can't identify that mac address from my known devises and also couldn't find any vendor with that mac address. My computers ARP cache also doesn't know that mac.

Any hint how I can get rid of that device or know which device it is?

Thanks in advance.

 

[Sanna1967]

I can't identify that mac address from my known devises and also couldn't find any vendor with that mac address.

If you dont find the culprit, you only have to put Hide DHCP / RA queries on YES, in Lan section-Dhcp server. Flooding will stop

 

[RMerlin]

That MAC is invalid, so either it's a virtual machine, or you have a device using a randomized MAC address for privacy purposes. I believe that's an iPhone feature, among others.

 

[TheUntouchable]

That MAC is invalid, so either it's a virtual machine, or you have a device using a randomized MAC address for privacy purposes. I believe that's an iPhone feature, among others.

Thanks Merlin for the hints. The randomizing MAC address feature is also present on windows 10 machines, as I don't own an iPhone But none of my devices have activated that. There is no way to see if the request is coming from WLAN or LAN right?

 

[TheUntouchable]

If you dont find the culprit, you only have to put Hide DHCP / RA queries on YES, in Lan section-Dhcp server. Flooding will stop

Thanks for you reply, but I really want to hunt that device down as when its coming from WLAN it should have the key for it and thats not good

 

[dave14305]

Does it pop up on the Wireless Log page?

 

[TheUntouchable]

Does it pop up on the Wireless Log page?

I'm afraid not. It doesn't take the IP address from the dhcpoffer, so it doesn't have a real connection, only makes dhcpdiscovers every 5 minutes..

 

[RMerlin]

Thanks Merlin for the hints. The randomizing MAC address feature is also present on windows 10 machines, as I don't own an iPhone But none of my devices have activated that. There is no way to see if the request is coming from WLAN or LAN right?

Simplest way is to manually reboot devices one at a time and see what pops up.