Wondering if this is just the dhcp request and if so should that be showing up on the firewall log? I am behind a router so could this be an intrusion that got through the router firewall?
Agreed. Also notice the twelve-hour (almost exactly) time between them.
Many home routers have DHCP leases for twenty-four hours, and most of the
time a client will try to renew at half that time. Either way the
regularity is likely not a coincidence and the only thing left to do to
really find out what is going on is to fire up a LAN trace before it
happens that runs until after it happens, tonight around 22:00 (10 p.m.).
sudo /usr/sbin/tcpdump -n -s 0 -w /tmp/dhcp.cap port 67 or port 68
The resulting file should be pretty interesting. It may include your
system trying to automatically refresh which would be interesting to see.
If you post the file somewhere I’ll look through it and we’ll go from
there. A secure location is ftp://ftp.novell.com/incoming/ (not able to
be browsed, btw, just uploaded to). You can open it too with something
like Wireshark (available via repos).