At wit's end....(can't find dhcp leases)

Glenn Satchell Glenn.Satchell at
Fri Sep 14 14:48:02 UTC 2007

You could try using shorter lease times, then you'd have more frequent
ack messages in the logs.

Unfortunately, dhcp is not a security tool. For example if someone
manually configures an IP address on their client, there's nothing to
be found in the leases of log files as dhcp didn't allocate that


>Date: Fri, 14 Sep 2007 10:38:13 -0400
>From: "Brian Johnson" <voyager.106 at>
>To: dhcp-users at
>Subject: Re: At wit's end....(can't find dhcp leases)
>Thank you to the two people who've responded. I appreciate your taking the 
>I'd actually started writing the email a few days ago and didn't get
>to finish it till this morning, as I waited for my English Muffin to
>toast. In doing so, I actually left out an important detail I'd
>initially meant to include.
>As was mentioned in the below email, we use our logs quite a bit for
>finding information on ip addresses. We keep approximately 2 weeks
>worth of logs. The problem we're having is, we have neither lease NOR
>log information on some ip addresses at a given time they're
>supposedly on the network. For example, we might be told that an ip
>address was doing something bad on 09/13/2007 17:00:00 EDT.
>Then we go looking in the leases file  and find out that the closest
>lease for that ip address on that day ended at 19:45:00 GMT (15:45:00
>EDT) and the next lease for it didn't start until 22:30:00 GMT
>(18:30:00 EDT). So, given the lack of valid lease information for that
>ip address at that time, we will then go to the log files to see what
>we can find. Often times we can find dhcpacks for the user prior to
>the timestamp of the infraction, and dhcpacks for the user after the
>infraction, which gives reason to believe the person had the ip
>address at the time of the infraction, but leaves reasonable doubt.
>Obviously, if we accuse someone of wrongdoing, we need to make sure
>that all of our ducks in a row and we should be able to show exactly
>why we believe what we do....
>Looking in the log files, we're seeing information consistent with
>what we're seeing in the leases file --
>On 9/14/07, Bruce Hudson <Bruce.Hudson at> wrote:
>> > My problem is this, and it's driving me crazy. Occasionally, we have
>> > reason to go back and identify the mac address of a particular ip
>> > address at a specific time. The obvious place to find this information
>> > is in the leases file. However, it seems more and more often, we're
>> > unable to find a lease for a particular ip address at the given time.
>> > So, my question is twofold -- is anyone else seeing this particular
>> > issue? And if so, are there any ideas why we might be seeing it? I
>> > have some theories, but can't find anything on the internet to support
>> > them.
>>     The lease file only holds the information the server needs to do its
>> job consistently across program restarts. It records active leases and it
>> remembers the last IP address given to each identifier so that the server
>> can give clients a consistent address if possible but this information is
>> lost as soon as somebody else is given that address.
>>     In addition, because the lease file is a text file with an "append
>> and periodic rewrite", it does contain short-term historical information
>> until its rewritten.
>>     We, as I suspect most people do, scrape historical information out
>> of the log files and store it.
>> --
>> Bruce A. Hudson                         | Bruce.Hudson at Dal.CA
>> UCIS, Networks and Systems              |
>> Dalhousie University                    |
>> Halifax, Nova Scotia, Canada            | (902) 494-3405
>Brian Johnson
>"And I will be even more undignified than this, and will be humble in
>my own sight." (2 Samuel 6:22)

More information about the dhcp-users mailing list