Devices History
Browse, search, filter, and export the complete record of DHCP events observed by the system.
The Devices History page is your primary investigation tool. Every DHCP packet that passes through the NFQueue processor is logged here with full field detail, and you can slice the data by time, device, message type, protocol version, and dozens of other criteria.
Opening Devices History
Section titled “Opening Devices History”Open Operations > Devices History in the sidebar. The page loads with the most recent events from the last 24 hours, sorted newest first.
Summary Cards
Section titled “Summary Cards”The top of the page shows four cards summarising the current time range:
- Total Events — number of DHCP events in the selected window
- Total Analyses — number of LLM analyses that ran on those events
- High Risk — count of devices flagged as high risk by analysis
- Avg Risk — average risk score across analysed devices
Event List View
Section titled “Event List View”The main table shows one row per DHCP event, with server-side pagination and a Filters panel above the table.
Each row displays:
| Column | Description |
|---|---|
| Time | When the packet was processed |
| Type | DHCP message type (DISCOVER, REQUEST, RELEASE, INFORM, SOLICIT, ADVERTISE, etc.) |
| Proto | v4 or v6 badge |
| Client MAC | Client hardware address |
| Source IP | The relay or client IP that sent the packet |
| Hostname | Hostname the client advertised (Option 12) |
| XID | Transaction ID linking the DHCP exchange |
| Vendor | Vendor class identifier (Option 60) |
| Requested IP | The IP the client asked for (Option 50) |
| Server IP | The DHCP server that handled the packet (when known) |
| Lease | Granted lease time |
| Mark | nftables mark assigned by the processor (hex) |
| Rule | Which processor rule matched this packet |
The last two narrow columns on each row are action icons:
- Search (magnifier) — filter the table to just the rows that share this XID, so you can see every packet in the same DHCP exchange
- External link — open the Device Details page for the row’s Client MAC
Click any row to expand it. The expanded view shows packet details (op code, hardware type, hop count, flags, ports, destination, assigned IP, boot file, server identifier) for DHCPv4 events, and DHCPv6 details (Client/Server DUID, link and peer addresses, IA addresses, delegated prefixes, preferred and valid lifetimes) for DHCPv6 events.
Sorting
Section titled “Sorting”Only the Time, Type, and Client MAC column headers are sortable; click to sort, click again to reverse. The default order is Time, descending (newest first).
Searching for Devices
Section titled “Searching for Devices”Use the search bar at the top to find devices by MAC address, hostname, vendor class, IP address, or transaction ID.
The search auto-detects what you are looking for:
- MAC address — Type any MAC prefix like
aa:bband matching devices appear instantly. The search uses prefix matching for speed. - Hostname — Type a hostname fragment like
androidto find all devices whose hostname contains that text (case-insensitive). - Vendor class — Type a vendor string like
MSFTto find Microsoft DHCP clients. - IP address — Type an IPv4 address or prefix like
192.168.1to find events from that subnet. - IPv6 address — Type an IPv6 prefix to search link_address, peer_address, and ia_addresses fields.
- XID — Type an 8-character hex transaction ID to find the exact DHCP exchange.
The search returns up to 20 results showing the device’s MAC, hostname, vendor class, last IP, event count, last seen time, and any active enforcement statuses (blocked, denied, throttled, allowed, monitored).
Clicking a Search Result
Section titled “Clicking a Search Result”Click a device in the search results to navigate directly to the Device Details page for that MAC address.
Filtering Events
Section titled “Filtering Events”Narrow results using the filter controls above the event table.
Time Range
Section titled “Time Range”Select a start and end time using the date pickers. The default range is the last 24 hours. The maximum queryable range is configured by the administrator (default 365 days). If your range exceeds the maximum, an error message explains the limit.
Message Type
Section titled “Message Type”Filter by one or more DHCP message types. Select from the dropdown: DISCOVER, OFFER, REQUEST, ACK, NAK, RELEASE, INFORM, DECLINE (DHCPv4) or SOLICIT, ADVERTISE, REQUEST, REPLY, RENEW, REBIND, RELEASE, DECLINE (DHCPv6). You can select multiple types simultaneously.
Protocol Version
Section titled “Protocol Version”Filter by dhcpv4 or dhcpv6 to isolate traffic for one protocol version.
Advanced Filters
Section titled “Advanced Filters”Additional filters available through the API or query parameters:
- client_mac — Exact MAC match
- client_mac_contains — Partial MAC match (case-insensitive)
- hostname / hostname_contains / hostname_regex — Exact, partial, or regex hostname match
- vendor_class / vendor_class_contains / vendor_class_regex — Vendor class matching
- source_ip / source_ip_cidr / source_ip_contains — Source IP filtering with CIDR support
- requested_ip — DHCPv4 Option 50 requested IP
- assigned_ip / assigned_ip_cidr — The IP assigned to the client (your_ip for v4, ia_addresses for v6)
- matched_rule / matched_rule_contains — Filter by processor rule name
- has_options — Filter events that include specific DHCP option codes (e.g.,
82for relay agent info) - option_contains — Search within DHCP option values (e.g.,
60:MSFTfinds events where option 60 contains “MSFT”) - case_sensitive — Set to
truefor case-sensitive text matching (default is case-insensitive)
Pagination
Section titled “Pagination”Results are paginated to keep the UI responsive even with millions of events.
- Default page size is configured by the administrator (default 25 events per page).
- Use the page controls at the bottom to navigate: first, previous, next, last.
- The total record count and current page position are displayed.
- Maximum page size is capped server-side at 100 to prevent excessive memory use.
CSV Export
Section titled “CSV Export”Export filtered events to CSV for offline analysis in spreadsheets or other tools.
Click the Export CSV button to download all events matching your current filters. The export includes every field captured by the system (55 columns including all DHCPv6 fields).
- A record count limit protects against accidentally exporting hundreds of millions of rows. If your filter matches too many records, you see an error suggesting you narrow the time range or add filters.
- Large exports (over 10 million rows) skip sorting to avoid memory issues on the server. A warning header indicates when this occurs.
- The file is streamed directly from ClickHouse, so downloads start immediately even for large exports.
DHCPv6 Considerations
Section titled “DHCPv6 Considerations”DHCPv6 events appear alongside DHCPv4 events in the same table.
- The Protocol column shows
dhcpv6for IPv6 events. - Expanding a DHCPv6 event row reveals additional fields: Client DUID, Server DUID, DUID Type, IA Type, IAID, IA Addresses, IA Prefixes, Delegated Prefix, Preferred/Valid Lifetimes, Link Address, Peer Address, Interface ID, Remote ID, Subscriber ID, and User Class.
- DUID-only clients (those without an extractable MAC address) appear in search results but their MAC column shows a DUID-derived placeholder. These entries are not clickable links to the device details page — this is a known limitation.
Tip: Use the
protocol=dhcpv6filter to isolate IPv6 traffic when investigating DHCPv6-specific issues.