Wierd DHCPINFORM log messages

Charles Steinkuehler cstein at newtek.com
Thu Mar 16 17:41:59 UTC 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm running the ISC dhcp server from Debian stable (sarge), and am
getting the following odd log messages from the DHCP server:

Mar 16 09:38:51 furious dhcpd: DHCPINFORM from 4.0.0.0 via eth4: unknown
subnet 0.0.0.0

There are no other interesting log entries nearby, so I fired up tcpdump
to listen to dhcp traffic until I caught some of the offending packets
(example below).  Of particular interest (to my limited DHCPINFORM
understanding) are the embedded strings:

  Macromedia Flash Proxy Auto-Discovery
  uri=rtmp://fcs.doubleclick.net:80/ondemand5

Google searches have turned up a few others reporting seeing the same
log message, but no good hits on either of the embedded content strings.

Anyone got an idea what spews these packets, and/or why the dhcp server
is barfing on them?

Full packet capture follows:

<tcpdump>

23:58:38.532317 IP (tos 0x0, ttl 128, id 29869, offset 0, flags [none],
length: 397) 10.28.18.100.4048 > 255.255.255.255.67: [udp sum ok]
BOOTP/DHCP, Request, length: 369, htype-#0, hlen:0,
xid:0x6e665d77, flags: [none] (0x0000)
          Vendor-rfc1048:

VO:116.97.103.61.102.112.97.100.114.101.113.59.116.105.109.101.115.116.97.109.112.61.57.53.56.48.55.52.55.56.54.59.122.111.110.101.61.48.59.117.114.105.61.114.116.109.112.58.47.4
7.102.99.115.46.100.111.117.98.108.101.99.108.105.99.107.46.110.101.116.58.56.48.47.111.110.100.101.109.97.110.100
    DHCP:INFORM
    PR:VO
    VC:"Macromedia Flash Proxy Auto-Discovery"
0x0000:  ffff ffff ffff 00e0 295a f60f 0800 4500  ........)Z....E.
0x0010:  018d 74ad 0000 8011 a833 0a1c 1264 ffff  ..t......3...d..
0x0020:  ffff 0fd0 0043 0179 8c50 0100 0000 6e66  .....C.y.P....nf
0x0030:  5d77 0000 0000 0000 0000 0000 0000 0000  ]w..............
0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x0080:  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x0090:  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x0100:  0000 0000 0000 0000 0000 0000 0000 0000  ................
0x0110:  0000 0000 0000 6382 5363 2b51 7461 673d  ......c.Sc+Qtag=
0x0120:  6670 6164 7265 713b 7469 6d65 7374 616d  fpadreq;timestam
0x0130:  703d 3935 3830 3734 3738 363b 7a6f 6e65  p=958074786;zone
0x0140:  3d30 3b75 7269 3d72 746d 703a 2f2f 6663  =0;uri=rtmp://fc
0x0150:  732e 646f 7562 6c65 636c 6963 6b2e 6e65  s.doubleclick.ne
0x0160:  743a 3830 2f6f 6e64 656d 616e 6435 0108  t:80/ondemand5..
0x0170:  3701 2b3c 254d 6163 726f 6d65 6469 6120  7.+<%Macromedia.
0x0180:  466c 6173 6820 5072 6f78 7920 4175 746f  Flash.Proxy.Auto
0x0190:  2d44 6973 636f 7665 7279 ff              -Discovery.
</tcpdump>

- --
Charles Steinkuehler
cstein at newtek.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFEGaNnenk4xp+mH40RAuyaAJwLRMeukh+4OmMd5DtatYA3iVMEngCePLBP
0xv1/pXKDdJWPEuSxZDKHN0=
=FYdl
-----END PGP SIGNATURE-----

More information about the dhcp-users mailing list