====== Monitorar servidores DHCP rodando em sistema operacional Linux ======
Nem muitos conhecem mas o dhcp para Linux tem ferramentas para monitoramento do próprio dhcp, sem mais delongas ja vou mostrar a primeira.
===== DHCP-LEASE-LIST =====
Exibe a listagem de equipamento que pegaram ip do servidor dhcp. Nem muito sabem mas este comando esta na pasta contrib dos fontes do software dhcp para Linux. Abaixo segue um exemplo
root@agamenon:~# /home/freewaynet/dhcp-4.4.1/contrib/dhcp-lease-list.pl
To get manufacturer names please download http://standards.ieee.org/regauth/oui/oui.txt to /usr/local/etc/oui.txt
Reading leases from /var/lib/dhcp/dhcpd.leases
MAC IP hostname valid until manufacturer
===============================================================================================
00:0c:29:81:60:38 192.168.1.122 ariel 2018-07-04 14:22:25 -NA-
00:15:65:8f:af:d4 192.168.1.136 SIP-T21P 2018-07-04 14:21:56 -NA-
00:b3:62:b9:77:1f 192.168.1.84 iPhonedCarolin 2018-07-04 15:47:08 -NA-
20:47:47:fc:f5:ea 192.168.1.95 isadora 2018-07-04 14:22:43 -NA-
7c:8b:ca:00:96:aa 192.168.1.139 projetos 2018-07-04 14:22:17 -NA-
84:38:38:ff:4a:b2 192.168.1.90 android-52f133 2018-07-04 14:22:05 -NA-
84:7b:eb:fc:9f:dd 192.168.1.149 comercial1 2018-07-04 14:21:41 -NA-
84:ef:18:56:77:46 192.168.1.131 arthu-linux 2018-07-04 14:21:06 -NA-
b0:6e:bf:72:36:05 192.168.1.126 -NA- 2018-07-04 14:22:36 -NA-
ec:a8:6b:bf:c1:14 192.168.1.124 financeiro 2018-07-04 14:22:58 -NA-
f0:c1:f1:a5:f9:fd 192.168.1.73 iPhone-Gilbert 2018-07-04 15:01:16 -NA-
f8:da:0c:ff:8c:3b 192.168.1.98 comercial 2018-07-04 14:21:28 -NA-
fc:ec:da:16:57:aa 192.168.1.91 Freeway 2018-07-04 14:22:56 -NA-
root@agamenon:~#
Para obter a lista dos fabricantes o próprio comando dá a dica baixe o arquivo oui.txt e colocar no caminho /usr/local/etc/
root@agamenon:~# /home/freewaynet/dhcp-4.4.1/contrib/dhcp-lease-list.pl
Reading leases from /var/lib/dhcp/dhcpd.leases
MAC IP hostname valid until manufacturer
===============================================================================================
00:0c:29:81:60:38 192.168.1.122 ariel 2018-07-04 14:27:35 VMware, Inc.
00:15:65:8f:af:d4 192.168.1.136 SIP-T21P 2018-07-04 14:28:42 XIAMEN YEALINK NETWORK TECHNOLOGY CO.,LTD
00:b3:62:b9:77:1f 192.168.1.84 iPhonedCarolin 2018-07-04 15:47:08 Apple, Inc.
20:47:47:fc:f5:ea 192.168.1.95 isadora 2018-07-04 14:27:17 Dell Inc.
7c:8b:ca:00:96:aa 192.168.1.139 projetos 2018-07-04 14:29:03 TP-LINK TECHNOLOGIES CO.,LTD.
84:38:38:ff:4a:b2 192.168.1.90 android-52f133 2018-07-04 14:28:29 SAMSUNG ELECTRO-MECHANICS(THAILAND)
84:7b:eb:fc:9f:dd 192.168.1.149 comercial1 2018-07-04 14:28:36 Dell Inc.
84:ef:18:56:77:46 192.168.1.131 arthu-linux 2018-07-04 14:26:27 Intel Corporate
b0:6e:bf:72:36:05 192.168.1.126 -NA- 2018-07-04 14:27:36 ASUSTek COMPUTER INC.
ec:a8:6b:bf:c1:14 192.168.1.124 financeiro 2018-07-04 14:27:58 Elitegroup Computer Systems Co.,Ltd.
f0:c1:f1:a5:f9:fd 192.168.1.73 iPhone-Gilbert 2018-07-04 15:01:16 Apple, Inc.
f8:da:0c:ff:8c:3b 192.168.1.98 comercial 2018-07-04 14:27:48 Hon Hai Precision Ind. Co.,Ltd.
fc:ec:da:16:57:aa 192.168.1.91 Freeway 2018-07-04 14:27:56 Ubiquiti Networks Inc.
root@agamenon:~#
===== DHCPDUMP =====
O aplicativo dhcpdump e um software que coleta os pacotes com destino a serviço DHCP e faz a exibição(dump) do contéudo dos pacotes segue abaixo um exemplo retirada da pagina do manual do dhcpdump.
# dhcpdump -i eth0 -h ^00:c0:4f
O comando acima mostrara apenas os pacotes do equipamento que esta fazendo requisicao dhcp com endereço MAC de inicio igual a 00:c0:4f note que a opção utiliza expressão regular, isto e muito util. Quando eu menciono requisição estou querendo dizer tanto o pacote de pedido quanto de resposta.
Abaixo segue um pedido e uma resposta é bem intuitivo.
---------------------------------------------------------------------------
TIME: 2018-07-04 10:37:05.510
IP: 0.0.0.0 (e8:40:40:e7:ed:21) > 192.168.1.252 (0:c:29:cb:52:99)
OP: 1 (BOOTPREQUEST)
HTYPE: 1 (Ethernet)
HLEN: 6
HOPS: 0
XID: 8ada1645
SECS: 140
FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: 20:47:47:fc:f5:ea:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION: 53 ( 1) DHCP message type 1 (DHCPDISCOVER)
OPTION: 12 ( 7) Host name isadora
OPTION: 55 ( 13) Parameter Request List 1 (Subnet mask)
28 (Broadcast address)
2 (Time offset)
3 (Routers)
15 (Domainname)
6 (DNS server)
119 (Domain Search)
12 (Host name)
44 (NetBIOS name server)
47 (NetBIOS scope)
26 (Interface MTU)
121 (Classless Static Route)
42 (NTP servers)
---------------------------------------------------------------------------
TIME: 2018-07-04 10:37:05.510
IP: 192.168.1.252 (0:c:29:cb:52:99) > 192.168.1.95 (20:47:47:fc:f5:ea)
OP: 2 (BOOTPREPLY)
HTYPE: 1 (Ethernet)
HLEN: 6
HOPS: 0
XID: 8ada1645
SECS: 140
FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 192.168.1.95
SIADDR: 192.168.1.252
GIADDR: 0.0.0.0
CHADDR: 20:47:47:fc:f5:ea:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION: 53 ( 1) DHCP message type 2 (DHCPOFFER)
OPTION: 54 ( 4) Server identifier 192.168.1.252
OPTION: 51 ( 4) IP address leasetime 600 (10m)
OPTION: 1 ( 4) Subnet mask 255.255.255.0
OPTION: 28 ( 4) Broadcast address 192.168.1.255
OPTION: 3 ( 4) Routers 192.168.1.1
OPTION: 15 ( 15) Domainname freewaynet.corp
OPTION: 6 ( 12) DNS server 192.168.1.252,179.124.8.33,8.8.8.8
---------------------------------------------------------------------------
===== DHCPING =====
Envia um pacote com **"DHCP request"** para o servidor DHCP para verificar se ele esta online e rodando. Este comando permite ao administrador verificar se o servidor dhcp remoto esta em funcionamento.
# dhcping -c -s -h
# dhcping -c 192.168.1.95 -s 192.168.1.15 -h aa:bb:cc:dd:ee:ff
* 192.168.1.95: endereço ip do host monitorado
* 192.168.1.15: servidor DHCP
* aa:bb:cc:dd:ee:ff: endereço MAC monitorado
Olhando nos logs do servidor /var/log/syslog
Jul 4 11:02:15 silverbolt dhcpd[4795]: DHCPREQUEST for 192.168.1.95 from aa:bb:cc:dd:ee:ff via ens160: unknown lease 192.168.1.95.
Jul 4 11:02:17 silverbolt dhcpd[4795]: DHCPDISCOVER from aa:bb:cc:dd:ee:ff (isadora) via ens160
Jul 4 11:02:17 silverbolt dhcpd[4795]: DHCPOFFER on 192.168.1.152 to aa:bb:cc:dd:ee:ff (isadora) via ens160
Podemos varrer a rede a procura de um servidor DHCP. Para varrer toda a rede a procura de servidores DHCP utilize o comando.
root@isadora:~# dhcping -s 255.255.255.255 -r -v
Got answer from: 192.168.1.15
received from 192.168.1.15, expected from 255.255.255.255
Got answer from: 192.168.1.252
received from 192.168.1.252, expected from 255.255.255.255
no answer
root@isadora:~#
Note que 2 servidores retornaram 192.168.1.15 e 192.168.1.252. Se não existisse nenhum servidor a resposta seria.
root@isadora:~# dhcping -s 255.255.255.255 -r -v
no answer
===== NMAP =====
Existe uma script default do nmap que permite monitorar o dhcp server
root@isadora:~# nmap --script broadcast-dhcp-discover
Starting Nmap 6.40 ( http://nmap.org ) at 2018-07-04 11:04 AMT
Pre-scan script results:
| broadcast-dhcp-discover:
| IP Offered: 192.168.1.154
| DHCP Message Type: DHCPOFFER
| Server Identifier: 192.168.1.15
| IP Address Lease Time: 0 days, 0:05:00
| Subnet Mask: 255.255.255.0
| Router: 192.168.1.1
| Domain Name Server: 192.168.1.252, 192.168.1.15, 179.124.8.33, 8.8.8.8
| Domain Name: freewaynet.corp
| Broadcast Address: 192.168.1.255
|_ NetBIOS Node Type: 2
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.50 seconds
root@isadora:~#
Utilizando a opção -e
root@isadora:~# nmap --script broadcast-dhcp-discover -e eth0
Starting Nmap 6.40 ( http://nmap.org ) at 2018-07-04 11:06 AMT
Pre-scan script results:
| broadcast-dhcp-discover:
| IP Offered: 192.168.1.154
| DHCP Message Type: DHCPOFFER
| Server Identifier: 192.168.1.15
| IP Address Lease Time: 0 days, 0:05:00
| Subnet Mask: 255.255.255.0
| Router: 192.168.1.1
| Domain Name Server: 192.168.1.252, 192.168.1.15, 179.124.8.33, 8.8.8.8
| Domain Name: freewaynet.corp
| Broadcast Address: 192.168.1.255
|_ NetBIOS Node Type: 2
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.27 seconds
root@isadora:~#
===== Para usuários Windows =====
Para usuarios Windows existe o dhcptest nunca utilizei apenas ouvi falar e pesquisei o mesmo como não utilizo Windows vou ficar devendo mas caso alguém quiser testar e colocar ai segue abaixo o link o nome do comando dhcptest
[[https://github.com/CyberShadow/dhcptest]]