Finding dynamic IP addresses

Almost every network has a DHCP (dynamic host control protocol) server that dynamically assigns unique IP addresses, most of which have a limited period of validity. The server also communicates information to clients about suitable gateways and to the DNS server for name resolution. It can be difficult to keep track of the IP addresses that a DHCP server assigns on the network, but tools like Arp, Fping, and Nmap help maintain an accurate overview.

It is important to the flawless operation of the system that the defined IP block reserved for the service allow a sufficient number of addresses to be continuously assigned to all of the devices. It is especially important to have an appropriately sized IP block when setting up a public WiFi network, because an inadequate IP block can quickly lead to bottlenecks in network access and ultimately to user dissatisfaction.

When public access is essential to a setting such as a cafÈ or a co-working space, it is important to know how much adaptation is necessary and when circumstances demand it. At the same time, it is a good idea to make sure that all computers in the network have suitable settings rather than static IP addresses that can obstruct concurrent clients.

Performing an analysis of addresses that have been assigned lets the network administrator get an overview of which devices are on the network and who is regularly logging in. Sometimes this kind of analysis even reveals devices not previously detected. The primary purpose of a static analysis is to determine whether the IP address pool is sufficient. It is not necessarily meant as a means for monitoring users.

What a DHCP Server Does

The DHCP server administers a pool of IP addresses from which it draws a single address for assignment when a request comes in from a computer attached to the local network. The manages the address inventory and recognizes by reference to the MAC address which device uses which IP address. As a rule, the server assigns this data on a temporary basis. As a result, an assignment, referred to as a "lease," is in its essence a type of contract for use. Once the client no longer needs a particular address, the assignment, or lease, expires, and the address reverts to the pool to wait for re-assignment (i.e., lease renewal).

The length of time for which a lease is valid is called "lease time," which is specified when you configure the DHCP server. A typical lease time would be between 30 minutes and six hours long. The actual period of time is often determined according to the frequency of user fluctuation. A good rule of thumb is that lease times become shorter when fluctuation is greater.

A DHCP client announces its presence in the network by broadcasting to a corresponding server. The server then answers the request, and if possible, the server also offers an IP address to the client. If the client accepts the address offer, the server then assigns the confirmed IP address to the client and records the assignment [1].

Every DHCP server uses its own formatting for the file, which contains the inventory of distributed IP addresses. The integrated server for Debian from the Internet Systems Consortium (ISC) [2] creates a dhcpd.leases file under /var/lib/dhcp/ . Dnsmasq [3] on the other hand uses a /tmp/dhcp.leases file (Listing 1). One entry in the file indicates the point in time at which the lease expires, in terms of the number of seconds that have elapsed since 1.1.1970. This same entry also contains the MAC address for the client, the distributed IP address, the host name, and the client ID that has been broadcast. The ID is customarily derived from the MAC address of the network interface [4]. Hence, the commonly observed similarity between the two.

# cat /tmp/dhcp.leases
1456254174 a8:7b:39:95:4a:5f 192.168.22.129 Nokia-N900 01:a8:7b:39:95:4a:5f
1456251956 00:13:e8:d2:60:bf 192.168.22.213 tuba *
1456254015 00:25:90:09:9c:98 192.168.15.129 trumpet *
1456253248 00:25:90:09:a1:9f 192.168.15.130 horn 01:00:25:90:09:a1:9f

For its part, the client stores the information on the lease it has been granted and the network configuration. The ISC DHCP client places the information in the dhclient.leases file which is located under /var/lib/dhcp/ (Listing 2). Among other data, this file contains the assigned IP addresses (fixed-address ), the subnet masks (option subnet-mask ), the IP address for the router (option routers ), the lease time for the IP address (option dhcp-lease-time , which in this example is 60 minutes), the DNS server (option domain-name-servers ), the NTP server (option ntp-servers ), and the times for the expiration (expire ) and the renewal (rebind ) of the lease for the IP address. This last value determines when the client requests an extension from the server on the lease for its IP address.

lease {
  interface "eth0";
  fixed-address 192.168.55.183;
  filename "/ltsp/i386/nbi.img";
  option subnet-mask 255.255.255.0;
  option routers 192.168.55.1;
  option dhcp-lease-time 3600;
  option dhcp-message-type 5;
  option domain-name-servers 192.168.55.1,192.168.55.6;
  option dhcp-server-identifier 192.168.55.6;
  option ntp-servers 192.168.55.3;
  option broadcast-address 192.168.55.255;
  option host-name "efho-mobil";
  option netbios-name-servers 192.168.55.4;
  option domain-name "network.local network.org";
  renew 2 2016/03/22 10:29:23;
  rebind 2 2016/03/22 10:56:54;
  expire 2 2016/03/22 11:04:24;
}

Finding the IP Addresses

The grep command-line utility helps in the hunt for IP addresses that are assigned on a network set up with an ISC DHCP server. By using the following call,

$ egrep "lease|hostname|hardware|\}" /var/lib/dhcpd/dhcpd.leases

you can determine which IP addresses are currently assigned. The output includes information, if known, about the lease, the hostnames, and the MAC address for the interface.

The network traffic provides additional clues for finding IP addresses. A computer observes data packages arriving via its interface in the same way a conveyor belt works for customers eating in a Japanese sushi restaurant. Specifically, the computer wakes up and reacts when a package is addressed to its interface directly. Almost as a side note, the computer also receives information on network occurrences, including such things as requests for address resolution sent out via the address resolution protocol (ARP) [5].

The /proc filesystem [6] for the Linux kernel provides a table containing this information. The data in the table originates in the so-called ARP cache, which the root user can read with the arp -a command (Listing 3). The output contains the IP address, the type of hardware, flags, the MAC address for the interface belonging to the IP address, and the interface from which the Linux kernel obtained the data (Listing 4).

# arp -a
? (192.168.55.22) at 52:54:00:8a:43:5f [ether] on eth0
lists.network.org (192.168.55.6) at 00:16:3e:18:29:b3 [ether] on eth0
? (192.168.55.97) at bc:05:43:48:9b:81 [ether] on eth0
orange.network.local (192.168.55.1) at 52:54:00:b3:8d:be [ether] on eth0

$ cat /proc/net/arp
IP address     HW type  Flags  HW address          Mask Device
192.168.55.22  0x1      0x2    52:54:00:8a:43:5f  *     eth0
192.168.55.6   0x1      0x2    00:16:3e:18:29:b3  *     eth0
192.168.55.97  0x1      0x2    bc:05:43:48:9b:81  *     eth0
192.168.55.1   0x1      0x2    52:54:00:b3:8d:be  *     eth0

The ip command-line utility has established itself as another worthwhile tool for monitoring the network. The tool is a somewhat more flexible successor to the twin utilities ifconfig and iwconfig found in the iproute2 [7] collection. The ip command displays all of the neighbors in the network via the neighbor show option. The basis for this function is the ARP cache (Listing 5).

# ip neighbor show
fe80::1:1 dev eth0 lladdr 52:54:00:b3:8d:be router STALE
192.168.55.22 dev eth0 lladdr 52:54:00:8a:43:5f STALE
192.168.55.6 dev eth0 lladdr 00:16:3e:18:29:b3 STALE
192.168.55.97 dev eth0 lladdr bc:05:43:48:9b:81 STALE
192.168.55.1 dev eth0 lladdr 52:54:00:b3:8d:be STALE