0

I have a server 2012 R2 box running DHCP for IP v4 and v6. In reviewing the leases for the IP6, there are a set that do not have names. These have a DUID type of 04 as shown in this picture:

IPv6 leases with no names

I can't seem to figure out what these devices are. They don't show up in the DNS list for the network. They do not respond to a ping for the client IPv6 address. Does anybody know of some way to figure out what devices these leases relate to?

Hoping this isn't an indication of some intrusion...

Thanks, Ben

BCH
  • 21
  • 1

1 Answers1

1

You can try looking up there mac address at this site. http://aruljohn.com/mac.pl It will tell you the manufacturer of the device. This may or may not be helpful but I have used it before to identify mystery devices on our network before.

George
  • 11
  • 2
  • Thanks for the suggestion, George. I don't know the mac address in this case. All of the info I know about the device is what's shown in the picture link: the IAID and the DUID. Is there a place where they can be used to lookup devices? – BCH May 25 '17 at 13:52
  • you can try checking the IPv6 equivalent of the ARP cache by using the command "netsh int ipv6 show neigh" try running that on the server and looking for the IPv6 addresses in question. It will show you the MAC address for the device. – George May 25 '17 at 14:23
  • The netsh command you gave provides a lot of great info - thanks, George. The IPv6 addresses in question do show up in the output. Unfortunately, the Physical Address and Type fields both show "Unreachable", so I can't grab the MAC address. (I'm going to keep that command handy, though!) – BCH May 25 '17 at 14:37
  • Bummer, sorry I couldn't be of more help. – George May 25 '17 at 14:51
  • Thanks a ton for the assist, George. I've deleted the bogus leases and plan to keep a closer eye on it to see if/when they come back for renewal. Maybe if I catch it early the netsh info will reveal all. – BCH May 25 '17 at 15:39