Ask Your Question
0

bad ip address - possible DHCP/DNS?

asked 2019-07-17 17:30:55 +0000

dee gravatar image

I will preface by saying I am new to Wireshark, so what I'm seeing is a bit overwhelming which is why I'm here :) I've picked up on a few tips regarding filtering to narrow down the data as much as possible, but to be honest I'm still not quite sure what I am looking at regarding this issue and I apologize as I'm sure it's obvious.

The issue: since I've started here about two years ago, randomly (it seems, may happen twice a day or once a month) a client will not be able to connect to the Internet or any network resources, although ipconfig shows an address within the proper scope, as well as correct mask/gateway and DNS servers. I've been reserving the affected IP address in DHCP with a bogus MAC address and then release/renew on the affected computer so the computer will pick up a new address, at which point it's on its merry way. I've then tested with deleting the reservation and had another computer pick up the address and no issues, so the issue never seems to be consistent with a given IP address. Also I've noticed the MAC address is registering when I check the machine on the DHCP/DNS server and that is as much as I've confirmed. I've come across a few posts via Google but no pertinent solutions.

I'll link to the pcap file if anyone is available for assistance, I will be happy to answer any questions or obtain more information. Also if I eventually figure it out I'll be sure to post an update.

https://www.cloudshark.org/captures/37721f76e2bf

Client address: 10.29.0.38

DNS & DHCP servers: 192.168.10.28 / 192.168.11.28

edit retag flag offensive close merge delete

Comments

In case this helps narrow it down further, I did a release/renew (either on this pcap or while monitoring another one) and noticed only DHCP Inform packets but never saw the actual DORA process. Googling on DHCP Inform packets it seems like this happens when a client needs to request additional info from the server, but again everything I'm seeing looks correct. When the issue occurs I also check for duplicate IPs but never find any, and I've also checked DHCP stats and we usually hover around 40% available addresses.

dee gravatar imagedee ( 2019-07-17 17:43:57 +0000 )edit

You description of the problem at the clients "will not be able to connect to the Internet or any network resources" is a bit vague, can you clarify that? In particular (I'm assuming Windows clients, and Win 10 at that for the PowerShell commands):

  1. Can the client resolve names, e.g. what does the PowerShell command Resolve-DnsName give? As a fall back you can use the legacy nslookup but IMHO that doesn't do the same thing as applications.
  2. If the client can't resolve names, can you see the DNS queries go out? Chase this up if this is the case.
  3. If the client can resolve names, are they correct?
  4. If the client can resolve names, can it connect to any of them? Use Test-Connection or ping to an external and internal address that's known to respond to ping.
  5. If the ping succeeds, try using the normal ...
(more)
grahamb gravatar imagegrahamb ( 2019-07-17 17:46:16 +0000 )edit

My apologies. Windows clients, mix of 7 and 10 and has happened on both. When this issue occurs, they are not able to access any websites or ping, tracert, etc., inside or outside the network, only able to ping loopback so that rules out local configuration I believe. I feel like I've ran nslookup and it gave the correct info, but can't remember 100%. I will make a note to run that command next the the issue occurs though and I will provide the output.

dee gravatar imagedee ( 2019-07-17 17:58:06 +0000 )edit

I've just realised that I missed the title of the question, what do you mean by "bad IP address"?

grahamb gravatar imagegrahamb ( 2019-07-17 19:06:58 +0000 )edit

That's just my interpretation of the issue given my lack of knowledge at this point. Since a given client is effectively isolated from the LAN/WAN when this issue is occurring, I just call it a bad IP address and point the finger at either DHCP or DNS since I don't really know what I'm seeing. I apologize for any confusion though.

dee gravatar imagedee ( 2019-07-17 19:12:40 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-07-17 21:49:54 +0000

SYN-bit gravatar image

In your pcapng file, I see that there are two systems both (trying) to use the IP address 10.29.0.38. The mac-addresses are:

  1. Address: IntelCor_50:4b:b9 (f8:94:c2:50:4b:b9)
  2. Address: SamsungE_cb:39:93 (64:1c:b0:cb:39:93)

You will have to locate this Samsung device and see why it uses an IP address in the DHCP pool.

You can see the duplicate when you filter on arp.src.proto_ipv4 == 10.29.0.38.

edit flag offensive delete link more

Comments

Wow, I got so caught up on that not being the issue since I wasn't seeing a duplicate IP in the DHCP scope and I hadn't been seeing the usual pop-ups on the computers stating a duplicate IP was in use. Thank you so much for your time, and also for the tip on the display filter!

dee gravatar imagedee ( 2019-07-18 12:59:14 +0000 )edit

Rooting around in the DHCP server I noticed lease time for this scope was set to 2 hours..... changed it to 3 days to see if this helps with the problem.

dee gravatar imagedee ( 2019-07-18 13:59:22 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-07-17 17:30:55 +0000

Seen: 26,944 times

Last updated: Jul 17 '19