Intro
Checkpoint Gaia offers a DHCP service, but it ias based on a crude and old dhcp daemon implementation frmo ISC. Doesn’t give you much. Mostly just the file /var/lib/dhcpd/dhcpd.leases, which it constantly updates. A typical dhcp client entry looks like this:
lease 10.24.69.22 { starts 5 2018/11/16 22:32:59; ends 6 2018/11/17 06:32:59; binding state active; next binding state free; hardware ethernet 30:d9:d9:20:ca:4f; uid "\0010\331\331 \312O"; client-hostname "KeNoiPhone"; } |
The details
So I modified a perl script to take all those lines and make sense of them.
I called it lease-examine.pl.
Here it is
#!/usr/bin/perl # from https://askubuntu.com/questions/219609/how-do-i-show-active-dhcp-leases - DrJ 11/15/18 my $VERSION=0.03; ##my $leases_file = "/var/lib/dhcpd/dhcpd.leases"; my $leases_file = "/tmp/dhcpd.leases"; ##use strict; use Date::Parse; my $now = time; ##print $now; ##exit; # 12:22 PM 11/15/18 EST #my $now = "1542302555"; my %seen; # leases file has dupes (because logging failover stuff?). This hash will get rid of them. open(L, $leases_file) or die "Cant open $leases_file : $!\n"; undef $/; my @records = split /^lease\s+([\d\.]+)\s*\{/m, <L>; shift @records; # remove stuff before first "lease" block ## process 2 array elements at a time: ip and data foreach my $i (0 .. $#records) { next if $i % 2; ($ip, $_) = @records[$i, $i+1]; ($ip, $_) = @records[$i, $i+1]; s/^\n+//; # && warn "leading spaces removed\n"; s/[\s\}]+$//; # && warn "trailing junk removed\n"; my ($s) = /^\s* starts \s+ \d+ \s+ (.*?);/xm; my ($e) = /^\s* ends \s+ \d+ \s+ (.*?);/xm; ##my $start = str2time($s); ##my $end = str2time($e); my $start = str2time($s,UTC); my $end = str2time($e,UTC); my %h; # to hold values we want foreach my $rx ('binding', 'hardware', 'client-hostname') { my ($val) = /^\s*$rx.*?(\S+);/sm; $h{$rx} = $val; } my $formatted_output; if ($end && $end < $now) { $formatted_output = sprintf "%-15s : %-26s " . "%19s " . "%9s " . "%24s " . "%24s\n", $ip, $h{'client-hostname'}, "" , $h{binding}, "expired" , scalar(localti me $end); } else { $formatted_output = sprintf "%-15s : %-26s " . "%19s " . "%9s " . "%24s -- " . "%24s\n", $ip, $h{'client-hostname'}, "($h{hardware})", $h{binding}, scalar(localtime $start), scalar(localti me $end); } next if $seen{$formatted_output}; $seen{$formatted_output}++; print $formatted_output; } |
Even that script produces a thicket of confusing information. So then I further process it. I call this script dhcp-check.sh:
#!/bin/sh # DrJ 11/15/18 # bring over current dhcp lease file from firewall FW-1 date echo fetching lease file dhcpd.leases scp admin@FW-1:/var/lib/dhcpd/dhcpd.leases /tmp # analyze it. this should show us active leases echo analyze dhcpd.leases DIR=`dirname $0` $DIR/lease-examine.pl|grep active|grep -v expired > /tmp/intermed-results # intermed-results looks like: #10.24.76.124 : "android-7fe22a415ce21c55" (50:92:b9:b8:92:a0) active Thu Nov 15 11:32:13 2018 -- Thu Nov 15 15:32:13 2018 #10.24.76.197 : "android-283a4cb47edf3b8c" (98:39:8e:a6:4f:15) active Thu Nov 15 11:37:23 2018 -- Thu Nov 15 15:32:14 2018 #10.24.70.236 : "other-Phone" (38:25:6b:79:31:60) active Thu Nov 15 11:32:24 2018 -- Thu Nov 15 15:32:24 2018 #10.24.74.133 : "iPhone-de-Lucia" (34:08:bc:51:0b:ae) active Thu Nov 15 07:32:26 2018 -- Thu Nov 15 15:32:26 2018 #exit # further processing. remove the many duplicate lines echo count active leases awk '{print $1}' /tmp/intermed-results|sort -u|wc -l > /tmp/dhcp-active-count echo count is `cat /tmp/dhcp-active-count` |
And that script gives my what I believe is an accurate count of the active leases. I run it every 10 minutes from SiteScope and voila, we have a way to make sure we’re coming close to running out of IP addresses.