I am writing a script to export information regarding all active DHCP leases on a server and I would like to have the timestamp of when the lease was created. Unfortunately, the DHCP service we use does not provide that information, only the expire time.
Can I get away with subtracting the lease length from the expire time to get the creation time? Or is there a situation where the expire time may change that doesn't result from a renew.
Best Answer
Yes you can subtract the lease length from the expiration time. However be aware that leases generally renew at the lease half life. For example, a DHCP client that has a 4 hour lease will try to renew the lease after only 2 hours. So technically that client will have the lease for 6 hours and maybe even longer if it keeps renewing it. So as long as you don't care about the total length and are satisfied with just the last renewal then that math will work out for you.
However most DHCP servers have the ability to log all activity. For example Windows DHCP calls it Audit Logging. Once enabled it logs all lease activity to C:\Windows\System32\Dhcp. Those logs are the true source of DHCP activity. It will log when a lease was obtained, released and renewed. Security guys love this data as it will help them find what MAC address owned a particular IP at a certain time/date.