BOOTP/DHCP Malformed

ic.nssip ic.nssip at northwestel.net
Tue May 22 16:03:12 UTC 2012 

Hi Glenn,

At some point I thought it is a problem with Wireshark DHCP Dissector, but I 
couldn't find anything which said that such a bug was ever found or/and 
fixed.

Thank you,
Julian



----- Original Message ----- 
From: "Glenn Satchell" <glenn.satchell at uniq.com.au>
To: "Users of ISC DHCP" <dhcp-users at lists.isc.org>
Sent: Sunday, May 20, 2012 4:23 AM
Subject: Re: BOOTP/DHCP Malformed


>I seem to recall this was a known problem with particular older microsoft
> clients where the seconds elapsed field is not written in network byte
> order. There was a patch put to the list, but don't recall if this was
> ever rolled into ISC dhcpd to recognise the reversed bytes and reverse
> them internally.
>
> See: https://lists.isc.org/pipermail/dhcp-users/2010-July/012036.html
> and
> http://wiki.wireshark.org/DHCP#head-838a814984848532459be023c4d9da55a411dff9
>
> Due to the nature of the bug, and widespread distribution in the client
> base, I doubt that this is the real cause of your problem.
>
> regards,
> -glenn
>
>> Hello,
>>
>> I have a strange situation here because Wireshark reports a lot of Notes
>> for Malformed DHCP Requests coming from users on our network. The details
>> for one messege look like this:
>>
>> Severity: Note
>> Group: Malformed
>> Chats: BOOTP/DHCP
>> Details: Seconds elapsed (4) appears to be encoded as little-endian
>>
>> Bootstrap Protocol
>>     Message type: Boot Request (1)
>>     Hardware Type: Ethernet
>>     Hardware address length: 6
>>     Hops: 1
>>     Transaction ID: 0x207572a1
>> Seconds elapsed: 4
>>     [Expert Info (Note/Malformed): Seconds elapsed (4) appears to be
>> encoded as little-endian]
>>     [Message: Seconds elapsed (4) appears to be encoded as little-endian]
>>     [Severity level: Note]
>>     [Group: Malformed]
>> Bootp flags: 0x8000 (Broadcast)
>>     Client IP address: 0.0.0.0 (0.0.0.0)
>>     Next server IP address: 0.0.0.0 (0.0.0.0)
>>     Relay agent IP address: x.y.z.w (x.y.z.w) [replaced for
>> confidentiality]
>>     Client MAC address: AsustekC_62:e4:5b (00:22:15:62:e4:5b)
>> Client hardware address padding: 00000000000000000000
>> Server host name not given
>> Boot file name not given
>>
>> Would anyone be so kind to let me know what is causing the "Malformed"
>> detection and what can we do in order to fix this issue.
>> We use Sandvine for subscribers mapping and their DPI engine has
>> dificulties to correct map the dynamic assigned IPs due to these 
>> Malformed
>> DHCP packets.
>>
>> Thank you in advance for any answer that can help us fix this problem,
>> Julian_______________________________________________
>> dhcp-users mailing list
>> dhcp-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/dhcp-users
>
>
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/dhcp-users
>

More information about the dhcp-users mailing list