DHCP Top Lease Clients -- Ignoring some "Conversations"

Posts: 181
2500     1

I have some DHCP alerts working that find DHCP abusers \ broken clients.  However, would like to leverage the DHCP top lease clients report to try and single out the top talkers during a alert.


Today we had a Cisco phone that, due to a miss configuration, came up on a VLAN without the TFTP servers configured for it.  The phone then got stuck in a DHCP REQUEST Loop that sent about 2,000 requests per second to our DHCP server.  This is obviously a very broken DHCP client, but this is not an uncommon state for a device to get into for us.  We seem to track down a phone or printer in this state a few times a month.

Because this was a REQUEST \ ACK only conversation, the MAC and IP never came up on the DHCP top clients reports because the "ACTION" field in "sourcetype=ib:dhcp:lease_history" doesn't ever seem capture this traffic.

Is there another way to get to this, stuck \ partial conversation and provide it as part of a report \ alert?


In the syslog, this sticks out easily, but I can't seem to find where to pull it in splunk.

Re: DHCP Top Lease Clients -- Ignoring some "Conversations"

Posts: 181
2501     1

Problem solved here:

DHCP Top Talkers

Showing results for 
Search instead for 
Did you mean: 

Recommended for You