BOOTP/DHCP Malformed
Glenn Satchell
glenn.satchell at uniq.com.au
Sun May 20 11:23:55 UTC 2012
I seem to recall this was a known problem with particular older microsoft
clients where the seconds elapsed field is not written in network byte
order. There was a patch put to the list, but don't recall if this was
ever rolled into ISC dhcpd to recognise the reversed bytes and reverse
them internally.
See: https://lists.isc.org/pipermail/dhcp-users/2010-July/012036.html
and
http://wiki.wireshark.org/DHCP#head-838a814984848532459be023c4d9da55a411dff9
Due to the nature of the bug, and widespread distribution in the client
base, I doubt that this is the real cause of your problem.
regards,
-glenn
> Hello,
>
> I have a strange situation here because Wireshark reports a lot of Notes
> for Malformed DHCP Requests coming from users on our network. The details
> for one messege look like this:
>
> Severity: Note
> Group: Malformed
> Chats: BOOTP/DHCP
> Details: Seconds elapsed (4) appears to be encoded as little-endian
>
> Bootstrap Protocol
> Message type: Boot Request (1)
> Hardware Type: Ethernet
> Hardware address length: 6
> Hops: 1
> Transaction ID: 0x207572a1
> Seconds elapsed: 4
> [Expert Info (Note/Malformed): Seconds elapsed (4) appears to be
> encoded as little-endian]
> [Message: Seconds elapsed (4) appears to be encoded as little-endian]
> [Severity level: Note]
> [Group: Malformed]
> Bootp flags: 0x8000 (Broadcast)
> Client IP address: 0.0.0.0 (0.0.0.0)
> Next server IP address: 0.0.0.0 (0.0.0.0)
> Relay agent IP address: x.y.z.w (x.y.z.w) [replaced for
> confidentiality]
> Client MAC address: AsustekC_62:e4:5b (00:22:15:62:e4:5b)
> Client hardware address padding: 00000000000000000000
> Server host name not given
> Boot file name not given
>
> Would anyone be so kind to let me know what is causing the "Malformed"
> detection and what can we do in order to fix this issue.
> We use Sandvine for subscribers mapping and their DPI engine has
> dificulties to correct map the dynamic assigned IPs due to these Malformed
> DHCP packets.
>
> Thank you in advance for any answer that can help us fix this problem,
> Julian_______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
More information about the dhcp-users
mailing list