WRT54G: Find out what devices have been getting an IP from the DHCP log

[Irongeek]

This is too short to be a Tutorial but I thought some of you might find it of interest. As many of you know, the Linksys WRT54G router runs Linux on a MIPS processor. With the right firmware you can do a lot more with the WRT54G then was originally intended by Linksys. This article will show you how to find out what devices have been getting an IP from the DHCP daemon that’s running on your WRT54G. You can use you imagination to see how this may be useful.



The first thing you need to do is get the modified firmware from http://h.vu.wifi-box.net/ and load it onto your Linksys. This firmware for the WRT54G lets you telnet into the router and mess around with the inner workings. If you don’t like using telnet for security reasons then try the firmware from http://www4.ncsu.edu/~bdferris/linksys_wrt54g/, it has a SSH Daemon and you may be able to do the same tricks with it. Once you have installed the firmware, telnet into the router (in most cases just “telnet 192.168.1.1” from the command line will work) and issue the command “dumpleases -f /tmp/udhcpd.leases”. Below is some sample output:

Code:

# dumpleases -f /tmp/udhcpd.leases
Hostname         Mac Address       IP-Address      Expires in
erwin            00:c0:f0:31:98:00 192.168.1.100   13 hours, 23 minutes, 27 seconds
the-pitt         00:10:dc:91:f6:6c 192.168.1.101   16 hours, 19 minutes, 40 seconds
you-know         00:0c:41:12:f2:a3 192.168.1.102   13 hours, 19 minutes, 24 seconds
openzaurus       00:10:7a:58:37:a6 192.168.1.103   expired
terror-drome     00:00:00:00:00:00 192.168.1.106   expired
                 00:00:00:00:00:00 192.168.1.104   expired
                 00:00:00:00:00:00 192.168.1.108   expired
                 00:00:00:00:00:00 192.168.1.105   expired
darkness         00:0d:88:83:32:8a 192.168.1.107   expired
Knoppix          00:0c:41:12:ad:bc 192.168.1.109   expired
terror-drome     00:00:00:00:00:00 192.168.1.110   expired
Knoppix          00:02:dd:32:d0:f6 192.168.1.111   expired
                 00:00:00:00:00:00 192.168.1.112   expired
DigitalPrimate2  00:06:25:24:77:ff 192.168.1.113   expired
greatwhitedope   00:10:4b:a5:ad:8a 192.168.1.114   expired
greatwhitedope   00:e0:63:50:79:a3 192.168.1.115   expired
greatwhitedope   00:00:00:00:00:02 192.168.1.116   expired
greatwhitedope   00:00:00:00:00:03 192.168.1.117   expired
terror-drome     00:30:f1:43:a8:30 192.168.1.119   16 hours, 24 minutes, 36 seconds
#
#

As you can see, you now have the host name, MAC address and given IP of the devices that have used the DHCP daemon on your router recently. Notice that some of my devices have had their MAC addresses changed frequently, the is because of preparation for a previous article. You can use this lease information to help figure out who has been attaching to your router.