Home Support Store Academy Sign In
Overview
System
Network
Services
Identities
Policies
Billing
Archives
Instruments
Installation
Lab Manual
Portal Customization
RESTful API
Miscellaneous
View as one page

MAC DHCP DNS

The MAC-DHCP-DNS scaffold allows the operator of the rXg to quickly find/search information about the current MAC Entries, DHCP Leases, and DNS Cache Records. It also provides the operator the status of the DHCP Shared Network Stats, and the status of the configured DHCP Pools.

Note: In cluster deployments, a Cluster Node field is displayed in applicable scaffolds to indicate which node the entry belongs to.

MAC Entries

MAC Entries displays information about devices connected to the rXg. The IP field shows the device's IP address. The MAC field displays the hardware MAC address. The Vendor field shows the manufacturer identified from the MAC address OUI. The If field indicates the network interface. The Expires At field shows when the ARP entry will expire. The Interface and VLAN fields link to the corresponding rXg configuration. The IP6 field indicates whether this is an IPv6 entry.

DHCP Leases

DHCP Leases provides the operator with a list of the current DHCP leases assigned to client devices. The Start field shows when the lease was issued. The IP field displays the assigned IP address. The Client Identifier field shows the unique identifier provided by the DHCP client. The Identifier Type field indicates the type of client identifier used. The Resolved Hostname field displays the hostname if it could be resolved.

The Shared Network field shows which DHCP shared network the lease belongs to. The DHCP Pool field indicates the specific pool from which the address was assigned. The Interface and VLAN fields show the network segment. The IP6 field indicates whether this is an IPv6 lease.

The Fixed Host action provides the operator the ability to quickly create a fixed host reservation for the device. It should be noted that any address assigned to a fixed host should fall outside the range of any configured DHCP pool.

DHCP Fingerprinting

The rXg captures DHCP fingerprinting information from client devices during the DHCP negotiation process. This passive identification technique allows the system to determine device operating systems and types without requiring any user interaction or HTTP traffic.

How DHCP Fingerprinting Works

When a device connects to the network and requests an IP address via DHCP, it sends a DHCPDISCOVER or DHCPREQUEST message containing DHCP Option 55 (Parameter Request List). This option specifies which DHCP options the client would like the server to include in its response. Different operating systems and device types request different combinations of options in a specific order, creating a unique "fingerprint" that can identify the device type.

The rXg DHCP server captures this fingerprint using the ISC DHCP binary-to-ascii function to convert the option codes into a comma-separated decimal string format (e.g., "1,121,33,3,6,12,15,28,51,58,59").

Fingerprint Data Fields

The following fingerprinting-related fields are captured for each DHCP lease and are visible in the detailed view:

  • Parameter Request List: The core fingerprint data consisting of DHCP option codes requested by the client. Example fingerprints include:

    • 1,121,3,6,15,108,114,119,252 - Apple iOS/macOS devices
    • 1,15,3,6,44,46,47,31,33,121,249,43 - Microsoft Windows Vista/7/Server 2008
    • 1,121,33,3,6,12,15,28,51,58,59,119 - Generic Android devices
    • 1,2,3,4,5,6,11,12,13,15,16,17,18,22,23,28,40,41,42,43,50,51,54,58,59,60,66,67,128,129,130,131,132,133,134,135 - PXE boot clients

  • Vendor Class Identifier: DHCP Option 60, a string sent by clients to identify the vendor and functionality. Common examples:

    • MSFT 5.0 - Microsoft Windows
    • android-dhcp-10 - Android version 10
    • dhcpcd - Linux DHCP client daemon
    • udhcp - Lightweight DHCP client (embedded devices)

  • User Class: DHCP Option 77, an optional identifier indicating the type of user or device class. This is less commonly used but can provide additional classification data.

Device Type Identification

The rXg maintains a comprehensive fingerprint database containing over 900 known device signatures, combining data from the Fingerbank project with patterns observed in production deployments. When identifying a device, the system uses a priority-based lookup:

  1. HTTP User Agent (highest priority): If the device has generated HTTP traffic through the captive portal or proxy, the browser's User-Agent string provides precise OS identification.

  2. DHCP Fingerprint (fallback): If no HTTP User Agent data is available, the Parameter Request List fingerprint is matched against the known signature database.

  3. Default: If no match is found, the device is classified as "Other".

The system generalizes detailed OS versions into broad categories for reporting purposes: Windows, Mac, iOS, Android, Chrome OS, Kindle, Blackberry, Linux, and Other.

Fingerprint Data Preservation

DHCP fingerprint data is preserved even after leases expire. When a lease ends, all fingerprint fields are copied to the Expired DHCP Leases archive (accessible under Archives DHCP and DNS Logs). This allows for historical device type analysis and ensures fingerprint data remains available for:

  • Device identification on subsequent connections
  • Historical usage reports by device type
  • Trend analysis of device populations over time

Integration with Other rXg Features

DHCP fingerprinting integrates with several rXg subsystems:

  • DHCP Classes and Match Rules: Create DHCP classes that match on dhcp-parameter-request-list to apply different DHCP options or pool assignments based on device type. Configure these under Services DHCP.

  • Reports and Analytics: The fingerprint data powers device type breakdowns in RADIUS usage reports, showing data consumption and session statistics grouped by operating system type.

  • Captive Portal: Fingerprint data is exposed via the captive portal API, allowing custom portal implementations to adapt behavior based on detected device type.

  • Device Sessions: The Field Operations Manager (FOM) uses fingerprint data to display device types when detailed HTTP User Agent data is unavailable.

IPv6 Limitations

DHCP fingerprinting is currently supported for DHCPv4 (IPv4) leases only. DHCPv6 uses a different protocol structure where the equivalent option (Option 6, also known as ORO or Option Request Option) is not currently captured by the rXg.

For IPv6 devices, the rXg identifies clients using the DUID (DHCP Unique Identifier) rather than fingerprinting. The DUID is a unique identifier assigned to each DHCPv6 client and is stored in the Client Identifier field for IPv6 leases. The rXg supports all four DUID types defined in RFC 3315:

  • DUID-LLT (Type 1): Link-layer address plus time
  • DUID-EN (Type 2): Vendor-assigned unique ID based on Enterprise Number
  • DUID-LL (Type 3): Link-layer address only
  • DUID-UUID (Type 4): UUID-based identifier (RFC 6355)

While DUIDs provide unique client identification for IPv6, they do not enable operating system or device type detection like DHCPv4 fingerprinting does. For IPv6 devices, device type identification relies primarily on HTTP User Agent data when available.

Viewing Fingerprint Information

To view the fingerprinting information for a specific lease, click on the show action for that lease in the DHCP Leases table. The detailed view displays all DHCP options including Parameter Request List, Vendor Class Identifier, User Class, and additional relay agent information (Agent Circuit ID and Agent Remote ID) if present. For IPv6 leases, the DUID is displayed in the Client Identifier field.

DNS Cache Records

The DNS Cache Records scaffold displays the current entries in the rXg DNS cache. The Updated At field shows when the record was last refreshed. The Name field displays the fully qualified domain name. The Root Domain field shows the top-level domain portion. The Record Type field indicates the DNS record type (A, AAAA, CNAME, MX, etc.). The Data field displays the record data (e.g., the resolved IP address). The IP field shows the IP address if applicable. The Expires At field indicates when the cached record will expire. The IP6 field indicates whether this is an IPv6 record.

DHCP Shared Network Stats

DHCP Shared Network Stats displays statistics for each DHCP shared network. The Name field shows the shared network name. The Size field indicates the total number of addresses available in the network. The Active field shows the number of addresses currently leased. The Available field displays the remaining unleased addresses. The Interface and VLAN fields indicate which network segment the shared network serves.

DHCP Pool Stats

DHCP Pool Stats displays statistics for each configured DHCP pool. The DHCP Pool field shows the pool name. The Size field indicates the total number of addresses in the pool. The Active field shows the number of addresses currently leased from the pool. The Available field displays the remaining unleased addresses in the pool.

About

RG Nets is the premium provider of gateways and centralized-authentication appliances designed to manage, provision, and protect revenue-generating networks. Our mission is to create tools that are so good, we would use our own money to buy them.

Company Links

Contact

316 California Ave.
Suite 331
Reno, NV 89509
+1 (408) 441 0100
[email protected]
Copyright 2026 RG Nets, Inc.
v2026.02-58-gcff8c
Cookies help us deliver our services. By using our services, you agree to our use of cookies.