BOOTP/DHCP Malformed

Glenn Satchell glenn.satchell at uniq.com.au
Sun May 20 11:23:55 UTC 2012 

I seem to recall this was a known problem with particular older microsoft
clients where the seconds elapsed field is not written in network byte
order. There was a patch put to the list, but don't recall if this was
ever rolled into ISC dhcpd to recognise the reversed bytes and reverse
them internally.

See: https://lists.isc.org/pipermail/dhcp-users/2010-July/012036.html
and
http://wiki.wireshark.org/DHCP#head-838a814984848532459be023c4d9da55a411dff9

Due to the nature of the bug, and widespread distribution in the client
base, I doubt that this is the real cause of your problem.

regards,
-glenn

> Hello,
>
> I have a strange situation here because Wireshark reports a lot of Notes
> for Malformed DHCP Requests coming from users on our network. The details
> for one messege look like this:
>
> Severity: Note
> Group: Malformed
> Chats: BOOTP/DHCP
> Details: Seconds elapsed (4) appears to be encoded as little-endian
>
> Bootstrap Protocol
>     Message type: Boot Request (1)
>     Hardware Type: Ethernet
>     Hardware address length: 6
>     Hops: 1
>     Transaction ID: 0x207572a1
> Seconds elapsed: 4
>     [Expert Info (Note/Malformed): Seconds elapsed (4) appears to be
> encoded as little-endian]
>     [Message: Seconds elapsed (4) appears to be encoded as little-endian]
>     [Severity level: Note]
>     [Group: Malformed]
> Bootp flags: 0x8000 (Broadcast)
>     Client IP address: 0.0.0.0 (0.0.0.0)
>     Next server IP address: 0.0.0.0 (0.0.0.0)
>     Relay agent IP address: x.y.z.w (x.y.z.w) [replaced for
> confidentiality]
>     Client MAC address: AsustekC_62:e4:5b (00:22:15:62:e4:5b)
> Client hardware address padding: 00000000000000000000
> Server host name not given
> Boot file name not given
>
> Would anyone be so kind to let me know what is causing the "Malformed"
> detection and what can we do in order to fix this issue.
> We use Sandvine for subscribers mapping and their DPI engine has
> dificulties to correct map the dynamic assigned IPs due to these Malformed
> DHCP packets.
>
> Thank you in advance for any answer that can help us fix this problem,
> Julian_______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users

More information about the dhcp-users mailing list