DHCP leases and connected clients

[Markfree]

Sometimes I check how many leases DHCP has issued using this command.

cat /var/lib/misc/dnsmasq.leases | wc -l

That doesn't really tell me if those clients are connected or not.
So, to check how many connected clients I have, I try this:

arp -a | awk '$4!="<incomplete>"' | wc -l

The thing is that I'm not sure this ARP command actually shows current active clients.

Does anyone actually check for how many DHCP leases the router has issued or how many clients are connected?
How do you do so?

 

[ColinTaylor]

See the discussion in this thread starting from this post for some background.

The problem with Ethernet connected devices is that there's no way to passively determine if they are currently connected. You would have to try and connect to them, e.g. using ping. A client that is connected but idle and another that was connected would have the same type of arp table entry.

 

[drinkingbird]

See the discussion in this thread starting from this post for some background.

The problem with Ethernet connected devices is that there's no way to passively determine if they are currently connected. You would have to try and connect to them, e.g. using ping. A client that is connected but idle and another that was connected would have the same type of arp table entry.

Yeah you run into two challenges. You can power off a machine but it will still have an ARP entry until the timeout expires (not sure what Asus default timeout is but usually it is 1 to 5 mins). On the other hand, you can have an idle machine that is online and can be reached, but unless it does gratuitous ARP frequently, it won't be in the ARP table until you ping it or generate traffic to/from it.

That's the challenge with the client list in the GUI. Idle wired clients will not be listed, until you ping or generate some traffic to/from them, at which point they appear. For it to be truly accurate, it would have to ping them every so often and determine their online status that way (assuming they respond to ping).

Of course the DHCP lease will last far longer than ARP table, you can have a lease for hours or days after you shut down a client. So there isn't really any use in comparing ARP to DHCP leases.

 

[Tech Junky]

Ping the broadcast IP and it will populate the ARP table.

ping 192.168.1.255 would ping all hosts in 192.168.1.x/24

Reading leases from /var/lib/dhcp/dhcpd.leases
MAC                IP              hostname       valid until         manufacturer       
===============================================================================================
00:18:dd:0a:24:7a  192.168.0.102   HDHR-10A247A7  2022-05-10 12:53:58 Silicondust Engineering Ltd
00:22:6c:04:11:61  192.168.0.104   SoundBarSetup_ 2022-05-10 13:09:44 LinkSprite Technologies, Inc.
00:bb:c1:9a:fe:2c  192.168.0.105   -NA-           2022-05-10 14:06:16 CANON INC.         
14:c1:4e:d7:e0:a3  192.168.0.103   -NA-           2022-05-10 12:53:59                     
64:16:66:08:cc:44  192.168.0.106   09AA01AC491702 2022-05-10 18:07:00 Nest Labs Inc.     

192.168.0.170            ether   d8:f8:83:d9:30:14   C                     br0
192.168.0.103            ether   14:c1:4e:d7:e0:a3   C                     br0
192.168.0.102            ether   00:18:dd:0a:24:7a   C                     br0
192.168.0.60             ether   c6:a1:7f:fc:0f:ff   C                     br0
192.168.0.106            ether   64:16:66:08:cc:44   C                     br0
192.168.0.105            ether   00:bb:c1:9a:fe:2c   C                     br0
192.168.0.65             ether   bc:cf:4f:d7:5f:20   C                     br0
192.168.0.104            ether   00:22:6c:04:11:61   C                     br0

I have a few static assignments and DHCP for a few. This is the output from Linux but, should be the same or similar in your router.

 

[ColinTaylor]

You can power off a machine but it will still have an ARP entry until the timeout expires (not sure what Asus default timeout is but usually it is 1 to 5 mins).

The problem with the Asus is that the ARP entry never times out. The best you can do is to actively ping a device and if it's unreachable it's status changes to incomplete. If you don't ping it then the ARP entry often remains unchanged and it looks like it's online even though it disconnected long ago.

Ping the broadcast IP and it will populate the ARP table.

This doesn't work reliably (populate the ARP table) on my network. That's probably because most devices nowadays have icmp_echo_ignore_broadcasts set. But the problem isn't populating the ARP table, it's removing or identifying stale entries.

 

[Markfree]

Great insights, guys!
So, as those verifications are not accurate as I would hope them to be, I take it that they are not that relevant... right?

 

[ColinTaylor]

Great insights, guys!
So, as those verifications are not accurate as I would hope them to be, I take it that they are not that relevant... right?

I can't say it's something I've ever felt the need to know. I'd be more interested in the volume of traffic flowing across the network rather than the number of devices turned on.