DHCP Lease Parser

Parse DHCP server lease files and logs to extract IP ↔ MAC address mappings. Supports ISC dhcpd.leases, dnsmasq, syslog DHCPACK, and generic formats — with direct MAC manufacturer lookup and CVE vulnerability scanning.

Last updated:

ISC dhcpd.leases dnsmasq leases syslog DHCPACK Generic IP+MAC lines

📄Input

📄
Drop your lease file here or browse
.leases, .log, .txt, .conf
or paste directly

MAC Address Lookup

Identify manufacturers and check CVE vulnerabilities from any MAC address.

EUI-64 Decoder

Extract MAC addresses from IPv6 EUI-64 interface identifiers.

IP Address Lookup

Investigate IP addresses for geolocation, ISP, ASN, and threat data.

Wireless & Network

Search WiFi networks, cell towers, and network infrastructure.

How Do You Parse DHCP Lease Files for Network Forensics?

Max Intel's DHCP Lease Parser extracts IP-to-MAC address mappings from four common DHCP log formats, enabling rapid device attribution during incident response. According to NIST SP 800-86 (Guide to Integrating Forensic Techniques into Incident Response), DHCP logs are among the most critical evidence sources for establishing which physical device held a given IP address at a specific time. The SANS DFIR methodology identifies DHCP lease correlation as a foundational step in any network intrusion investigation.

What DHCP Formats Are Supported?

The parser handles ISC DHCP server lease files (dhcpd.leases) containing lease blocks with hardware ethernet directives, dnsmasq epoch-based lease lines, syslog DHCPACK entries commonly found in /var/log/syslog, and a generic fallback that extracts any line containing both an IPv4 address and a MAC address. According to the Internet Systems Consortium, ISC DHCP remains deployed on over 60% of enterprise DHCP servers worldwide, making dhcpd.leases the most commonly encountered format in forensic investigations.

How Does MAC Lookup Integration Work?

Every MAC address extracted from the lease file includes a direct lookup button that passes the address to Max Intel's MAC Address Lookup tool. This performs an instant IEEE OUI manufacturer identification followed by an automated NIST NVD vulnerability scan — transforming a raw DHCP log into an actionable device inventory with manufacturer attribution and known CVE exposure. For enterprise networks with hundreds of devices, the export-to-CSV function enables bulk analysis in spreadsheet tools or SIEM platforms.

DHCP Lease
A temporary assignment of an IP address to a network device, recorded with the device's MAC address, hostname (if provided), and lease duration in the DHCP server's log files.
ISC dhcpd.leases
The lease persistence file used by ISC DHCP Server (the most widely deployed open-source DHCP implementation), containing structured lease blocks with hardware ethernet, hostname, and timing information.
DHCPACK
The final message in the DHCP handshake confirming an IP address assignment to a client. Syslog entries for DHCPACK events record the IP, MAC, and sometimes hostname of the assigned device.
OUI (Organizationally Unique Identifier)
The first 24 bits (3 bytes) of a MAC address, registered with the IEEE by the device manufacturer. OUI lookup reveals the hardware vendor — critical for identifying device types on a network.

📋 DHCP Lease Parser — Frequently Asked Questions

What DHCP lease file formats does this parser support?

The parser handles four formats: ISC dhcpd.leases (lease {} blocks with hardware ethernet), dnsmasq epoch-based lease lines, syslog DHCPACK entries, and a generic fallback that extracts any line containing both an IP address and a MAC address. Files can be uploaded or pasted directly.

How is DHCP lease parsing useful for network forensics?

DHCP lease files map IP addresses to physical device MAC addresses at specific times. During incident response, this establishes which device held a given IP during an event. The extracted MAC addresses can be looked up against IEEE OUI databases to identify device manufacturers and checked against the NIST NVD for known vulnerabilities — creating a complete device attribution and risk assessment pipeline.

Is any data sent to a server when parsing DHCP leases?

No. All parsing happens entirely in the browser using JavaScript. No lease data, MAC addresses, IP addresses, or hostnames are transmitted to any server. The MAC Address Lookup integration works by passing the MAC as a URL parameter to a separate page — only when the user explicitly clicks the lookup button.

MAC Lookup

Network device manufacturer identification.

EUI-64 Decoder

Decode IPv6 interface identifiers.

IP Lookup

IP geolocation and threat intelligence.

MAC Lookup App

Desktop MAC address lookup tool.