[tclug-list] info request

Mon Feb 10 12:09:57 CST 2020

> To here I thought I was understanding what you were talking about.
> >
> > How well do you have your local IP addresses under control? Does your
> > DHCP server just have a pool and gives out addresses from that? Or
> > have you got it configured to give out specific IP addresses for
> > configured MAC addresses?
> 
> Now I'm thinking the bright shiny Maserati just blew by me - - - - grin!
>
> This is what I'm trying to learn. I think I'm a few steps behind what you're
> talking about here.
> Any suggestions as to some pages for studying and learning and
> implementing own DHCP and monitoring local IP addys etc?

I'm assuming your DD-WRT box is your DHCP server? If so, see if these
help:

https://wiki.dd-wrt.com/wiki/index.php/Static_DHCP
https://wiki.dd-wrt.com/wiki/index.php/DNSMasq_as_DHCP_server

You want to configure static leases. In the first example, the device
in your network which has MAC address 00:11:22:33:44:55 is always
given the IP addresss 192.168.1.50. So when you see 192.168.1.50 in
wireshark, you know what device that is. There is probably a status
page somewhere in DD-WRT showing the leases it has already given out
from its pool. It should list the MAC address and the address from the
pool. So you can get all the MAC addresses from there. The tricky part
is working out what device the MAC address belongs to. You can get
some clues, e.g feed the MAC address into:

https://aruljohn.com/mac.pl

and it will tell you which company the MAC address has been assigned
to.

When you can figure out what a MAC address belongs to, add a static
lease for it. Then either be patient for its current lease to expire,
or power cycle it for immediate results. It should then take the fixed
IP address you have configured for it.

Laptops, tablets, phones, desktops are easy, you can login and see how
they are configured, get the MAC address with "ip link show",
etc. Your smart lightbulbs and other IoT devices often don't have a
nice simple way to give your their MAC address, so you need to do a
bit more detective work.

> > 2) Analyse the frames. Grab the file of captured frames and let
> > wireshark decode it. You can then look at the traffic, figure out what
> > source/sink is. Depending on your dhcp/dns setup, it should be able to
> > give you hostnames, not IP addresses.
> >
> I think I have some things to work on before I'm at this step.

You can start without having DHCP and DNS fully under your control. It
will just make it a bit harder to attribute packets to devices, since
you have no idea who 192.168.42.42 is in your network. But if you see
it talking to apple servers, you can guess it is an apple device. If
it talks to LG servers, it could be your SMART TV, etc.

   Andrew