FYI The rogue DHCP detection algorithm is basically looking for two things. 1. DHCP OFFERS/ACK coming from IPs that are not specified in the dhcp_server parameter of the pf.conf file. 2. Weird behavior of DHCP clients asking for IP from their old DHCP server (per example, my Android device connected on my home wifi, now connected to the school wifi but still requesting IP from my home DHCP server will trigger a rogue DHCP alert.)
The second flow will most likely triggers some false positives and from some feedback, it is most of the time coming from Android devices that seems to have an issue with the DHCP client. You can have a look at the following post from Princeton: http://www.net.princeton.edu/android/android-stops-renewing-lease-keeps-using-IP-address-11236.html On 2013-04-08 10:15 AM, Arthur Emerson III wrote: > Has anyone else encountered problems with false rogue DHCP traps > generated by Motorola Droid RAZR phones (with MAC addresses > 3c:43:8e:xx:yy:zz on a network with Cisco's DHCP IP helper in > use? We have two of them generating false alarms every few minutes. > Judging by the IP addresses requested (without opening up a packet > tracer or touching either phone), they appear to be trying to renew > their home 192.168.1.xxx IP addresses instead of using the one that > our DHCP server assigned them. Anyway, just curious if we are the > only place receiving these false alarms, and if anyone has found a > fix on the client end... > > > -Arthur > > ------------------------------------------------------------------------- > Arthur Emerson III Email: [email protected] > Network Administrator InterNIC: AE81 > Mount Saint Mary College MaBell: (845) 561-0800 Ext. 3109 > 330 Powell Ave. Fax: (845) 562-6762 > Newburgh, NY 12550 SneakerNet: Aquinas Hall Room 11 > > > ------------------------------------------------------------------------------ > Precog is a next-generation analytics platform capable of advanced > analytics on semi-structured data. The platform includes APIs for building > apps and a phenomenal toolset for data science. Developers can use > our toolset for easy data analysis & visualization. Get a free account! > http://www2.precog.com/precogplatform/slashdotnewsletter > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > Cheers! dw. -- [email protected] :: +1.514.447.4918 (x110) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
