Undesirable spoofed MAC addresses on WiFi Extenders

If the devices behind the extender are using DHCP from your main router (not the extender) you should see the DHCPDISCOVER/DHCPOFFER/DHCPACCEPT/DHCPACK messages in your log collector. The DHCPDISCOVER will have the actial MAC of the device as its looking for the dhcp server. capture that. Youll then see the dhcpoffer from the DHCP server allocating an IP address to it, and the dhcprequest from the client asking to use it, finally followed by the dhcpack send by the dhcp server saying its given. You can now match IP based on that until the next time it gets a new, you monitoring search should see the change. i use splunk to do this on my home network and it works fine. as i troll the logs from my router, i look for the MAC of the extender, and then run a subsearch of the above for any mac that was assigned an IP to the current IP in the router log.