For some reason a for me unknown device is trying to connect to my router and fills up its log.
Apparently it must have connected at least once with my router because it gets offered an IP address. To find out the device I tried to look up the mac address (02:44:86:eb:07:ae) with no luck.
Is there a way to find out what device this is?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
No, I'm sure my neighbors do not have my credentials nor did they ever have them nor do they have access via copper.
That's what puzzles me; I can rule out my surroundings so that leaves only a "known" device. And nothing has changed in my own situation. It just starting to happen.
That is something i could pursue when users are logged out. It should give me at least a lead if it tries to connect via copper of wifi (almost certain wifi).
I used to deliver fairly low level courses in cyber security. For homework at the end of day one I would get them to try to access their router logs to analyse what sort of info they could get from them. One of the attendees was a copper, and looked pretty angry the next morning. I thought he was disappointed about the standard of training delivery (which would have been fair enough) but when it came to feedback on the router exercise it turned out he's discovered a "rouge" device on his router. Somehow he'd traced it back to a neighbouring flat, and worked out they must have taken a photo of the back of his router shortly after they'd moved in and had popped around on the pretence of being neighbourly. Apparently they "had words!"
Probably not your issue, but still made me chuckle
My approach is similar to @brada4's, and I don't view it as "masking the issue." The idea is to first try to identify the method by which the device is attaching to the network. If you're confident it is wifi, you can skip the physical ethernet ports, of course, but if not, physically go through and unplug each device while there is a ping test running to the unknown device... watch for it to go offline and you should be able to narrow it down
If the device is wifi and you are able to successfully force-disconnect it, you can hopefully go around and find out what breaks.
Don't forget that these randomized MAC addresses can come from lots of devices. Most Apple products do it - Macs/iPhones/iPads, and even other devices like the Apple Watch and possibly even the Apple TV. If you've recently upgraded the OS on one of them and/or reset it to defaults, that could certainly cause it to come up with the randomized addresses. Android does this, too -- and it's in a lot of places... you may have a smart TV with Android and all sorts of other devices. My cycling computer/head unit even runs Android, so again, it could be really any piece of equipment.
I wouldn't call this an issue. The excessive logging can be an issue, but I am pretty sure the 'quietdhcp' option exists for cases like this.
Other than that, the requests are far enough apart that it wouldn't cause any saturation on your router and DHCP is operating normally.
Like in my case, I believe it's due to wake ups on power-saving devices. They probably request DHCP info in order to validate their interface(s) after waking up.
As for new devices, just because you haven't brought any new devices to your network doesn't mean your smartphones (which are constantly updating themselves in the background) didn't change their behaviors.
EDIT: Interesting to note that yours appear to always be on 1 minute intervals. The ones spammed in my router are arbitrary (between 20 seconds to 3 minutes) and are more consistent with my theory of wake ups.
The only Apple device that is currently in the house is my sons work phone. We checked it but it isn't the device. It's turned off.
All the other usual suspect (Android) are known to the router and are logged on or "sleeping".
Without testing it (but will test tomorrow to be absolutely sure) i'm confident it can not be a wired connection (checked all ethernet port).
This bugs me. Apparently nothing changed but still.....
Since it's always on the same interval (unlike mine) and is not a DHCPREQUEST, but rather a DHCPDISCOVER, this might be a timeout followed by a re-attempt to acquire an address.
Your DHCP server seems to be sending the offer just fine, but it seems the device at the other end is somehow failing to see it.
Did you try a reverse dns lookup on the ip address? Is it assigned to /tmp/dhcp.leases?