Monitoring Linux-based DHCP

Monitoring DHCP usage on linux seems, to me, to be kind of clumsy.

While I am not a Windows Server fan, it was fairly easy to extract DHCP information. Each night I had a process that extracted the DHCP information from the Windows DHCP server, and post everything to a MySQL database.

The DHCP data was accessed with a simple CGI script so I could quickly and easily ascertain anything I needed to know regarding DHCP assignments. I could locate all MACs ever assigned to an IP address, the current IP address for a hostname, all of the IP/MACs at a branch, etc. It was sweet.

Going through the trouble to extract data on that network, with 10,000+ users, made sense. On my home system, it doesn’t. So every six months, or so, when I need to figure out a DHCP issue I end up flailing trying to remember what to do.

After this morning’s flail, I decided to write some notes down so I don’t have to flail again.

Monitoring DHCP Packets

My home DHCP server is a Raspberry Pi. Yep, and it works really quite nicely. See here for the setup. Normally, if I want to watch DHCP packets I either end up running tcpdump or WireShark on the Raspberry pi. Today I stumbled across dhcpdump which is like tcpdump, except all it does is dump formatted DHCP packets for you, so you don’t have to remember the exact DHCP packet format for tcpdump.

My RPI didn’t have dhcpdump installed, but it was easy to add:

apt-get update
apt-get install dhcpdump

dhcpdump uses tcpdump, so if you don’t have tcpdump installed, it will get installed.

To run dhcpdump, you just have to specify the interface you want to monitor. This is probably going to be eth0, but you can use ifconfig to verify:

ifconfig
dhcpdump -i eth0

Here is an example of a dhcp request and response:

  TIME: 2015-01-02 12:36:20.502
    IP: 191.0.10.110 (1c:3e:84:b9:14:19) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)
    OP: 1 (BOOTPREQUEST)
 HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: 7f8ffaa2
  SECS: 0
 FLAGS: 0
CIADDR: 191.0.10.110
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: 1c:3e:84:b9:14:19:00:00:00:00:00:00:00:00:00:00
 SNAME: .
 FNAME: .
OPTION:  53 (  1) DHCP message type         8 (DHCPINFORM)
OPTION:  61 (  7) Client-identifier         01:1c:3e:84:b9:14:19
OPTION:  12 (  8) Host name                 latidude
OPTION:  60 (  8) Vendor class identifier   MSFT 5.0
OPTION:  55 ( 13) Parameter Request List      1 (Subnet mask)
                                             15 (Domainname)
                                              3 (Routers)
                                              6 (DNS server)
                                             44 (NetBIOS name server)
                                             46 (NetBIOS node type)
                                             47 (NetBIOS scope)
                                             31 (Perform router discovery)
                                             33 (Static route)
                                            121 (Classless Static Route)
                                            249 (MSFT - Classless route)
                                             43 (Vendor specific info)
                                            252 (MSFT - WinSock Proxy Auto Detec
t)

---------------------------------------------------------------------------

  TIME: 2015-01-02 12:36:20.503
    IP: 191.0.10.15 (b8:27:eb:22:87:65) > 191.0.10.110 (1c:3e:84:b9:14:19)
    OP: 2 (BOOTPREPLY)
 HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: 7f8ffaa2
  SECS: 0
 FLAGS: 0
CIADDR: 191.0.10.110
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: 1c:3e:84:b9:14:19:00:00:00:00:00:00:00:00:00:00
 SNAME: .
 FNAME: .
OPTION:  53 (  1) DHCP message type         5 (DHCPACK)
OPTION:  54 (  4) Server identifier         191.0.10.15
OPTION:   1 (  4) Subnet mask               255.255.255.0
OPTION:  15 ( 11) Domainname                flipflop.net
OPTION:   3 (  4) Routers                   191.0.10.1
OPTION:   6 (  4) DNS server                191.0.10.15
OPTION:  44 (  4) NetBIOS name server       191.0.10.15
OPTION:  46 (  1) NetBIOS node type         8 (H-node)
---------------------------------------------------------------------------

Script To Examine Current DHCP Lease Status

Often I want to know what leases are active, and who are using them. There seems to be no utility for doing this. Instead, I have to manually look thru the /var/lib/dhcp/dhcpd.leases file. Because I only look at this thing maybe once every 6 months, inevitably it takes me to long to find what I’m looking for.

I wrote the following script which will parse the dhcpd.leases file and create a single line of information for each IP address in the format:

IP Addr         Status  MAC                     Host Name
191.0.10.200    free    f8:b1:56:a2:07:fc
191.0.10.218    free    08:00:27:43:b4:01
191.0.10.220    free    08:00:27:66:0b:e9
191.0.10.221    free    08:00:27:ab:8b:d2

This tells you the status of each IP address. The current (or last) MAC address assigned, and a host name, if available.

Here is the script (I call mine showdhcp):

#!/bin/bash

echo "You must run this script with root privileges"
echo

# get a valid temporary file name

tempFile=$(mktemp)

# extract just the useful lines from the dhcpd.leases file

cat /var/lib/dhcp/dhcpd.leases \
  | grep \
      -e '^lease ' \
      -e '^  binding state' \
      -e hardware \
      -e client-hostname \
      -e } >$tempFile.1

# remove superflous text from each linE

sed -e "s/^lease \(.*\) {$/\1~/" \
    -e "s/^  binding state \(.*\);$/\1~/" \
    -e "s/^  hardware ethernet \(.*\);$/\1~/" \
    -e "s/  client-hostname \(.*\);$/\1~/" \
    -e "s/^}//" \
    $tempFile.1 > $tempFile.2

# join the lines so that each lease is on a single line, then sorT

sed -e ":'loop';/~$/N;s/~\n/,/;t'loop'" \
    -e "s/,$//" \
    -e "s/,/\t/g" \
    $tempFile.2 | sort > $tempFile.3

# delete duplicate lines

sed -e'$!N;/^\(.*\)\n\1$/!P;D' $tempFile.3 > $tempFile.4

printf "IP Addr\t\tStatus\tMAC\t\t\tHost Name\n"
cat $tempFile.4

rm $tempFile.*

Hey! That’s the most I done with SED in years!

Here is a full sample output:

root@ns:~# ./showdhcp
You must run this script with root privileges

IP Addr         Status  MAC                     Host Name
191.0.10.200    free    f8:b1:56:a2:07:fc
191.0.10.218    free    08:00:27:43:b4:01
191.0.10.220    free    08:00:27:66:0b:e9
191.0.10.221    free    08:00:27:ab:8b:d2
191.0.10.222    free    b8:27:eb:5d:44:21
191.0.10.223    free    00:c1:40:49:0e:11
191.0.10.224    free    08:00:27:c8:16:45
191.0.10.225    free    00:21:9b:17:37:ab
191.0.10.226    free    80:1f:02:f6:7a:06
191.0.10.227    free    00:1d:92:4a:c3:43
191.0.10.229    free    00:11:11:ae:a6:1c
191.0.10.230    free    08:00:27:bf:90:9f
191.0.10.231    free    f4:f1:e1:b2:de:4f
191.0.10.232    free    00:50:43:00:9c:64
191.0.10.233    active  00:50:c2:77:42:60       "GS100531"
191.0.10.234    free    3c:43:8e:de:fb:aa
191.0.10.235    free    7c:ed:8d:ea:44:f3
191.0.10.236    free    00:21:9b:17:37:ab
191.0.10.237    free    1c:3e:84:b9:14:19
191.0.10.238    free    64:66:b3:1b:89:02
191.0.10.239    free    1c:3e:84:b9:14:19
191.0.10.240    free    30:f9:ed:7f:d0:0e
191.0.10.241    free    00:18:56:24:72:79
191.0.10.242    free    08:00:27:ff:ab:fd
191.0.10.243    free    00:21:2f:2e:be:72
191.0.10.244    free    00:11:11:61:fc:5f
191.0.10.245    free    80:1f:02:b5:b3:80
191.0.10.246    free    00:11:11:61:fc:5f
191.0.10.247    free    90:a2:da:0d:02:6b
191.0.10.248    free    f8:b1:56:a2:07:fc
191.0.10.249    free    a4:1f:72:6d:83:64
191.0.10.250    free    00:23:99:1d:8e:49
191.0.10.251    active  f8:e0:79:ca:b9:d6       "android-bb86746386c86c4f"
191.0.10.252    free    08:00:27:c8:16:45
191.0.10.253    active  00:1d:fe:e0:1c:ff
191.0.10.254    free    08:00:27:30:83:23

 

This entry was posted in c-pcos and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s