Strange entries in my log file

Simon Hobson dhcp1 at
Tue Jul 17 10:56:45 UTC 2007

Pete Clarke wrote:

>Hmm ... this is a small, home network.

Small ?

>The 1st layer 3 switch has both and vlans
>configured, the .0 is for the servers/management boxes, and the .1 is
>for clients (wired/wireless).

>Both layer 3 switches have the DHCP server helper addresses configured,
>and this works nicely - if I disable the helpers, the DHCPDISCOVER's get
>to the server, but the DHCPOFFER's don't get back to the clients..(as
>you'd expect).

Actually no, if you disable the bootp relay agents then the dhcp 
discovers should not be getting to the server.

>I am assuming the rogue packets are coming in through the 2nd internet
>connection, does that sound reasonable..?

The problem is, if they come in that way, how would they get past the 
NAT - unless you have port forwarding enabled for dhcp. I think it's 
more likely that these packets are coming from a device inside the 
network, but given the lack of such a subnet it's hard to see where 
they would be coming from when they appear to be coming via a relay.

Might be time to look more closely and query the MAC tables in the 
switches to determine where the packets came from. You'll probably 
have to sniff packets, wait till one of these comes in, then inspect 
the packet to figure out the source MAC & IP, then query the switches.

More information about the dhcp-users mailing list