Wierd DHCPINFORM log messages

Curt Rask crask at telesyn.com
Thu Mar 16 20:55:13 UTC 2006 

Seems it's based on a similar process (WPAD - Web Proxy Auto-Discovery). 
  There's a good article on it in Wikipedia:

http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol

Essentially, it allows Internet capable processes to find proxy 
information without having to be manually configured.  <snippet>
"Before fetching its first page, a web browser implementing this method 
sends the local DHCP server a DHCPINFORM query, and uses the URL from 
the WPAD option in the server's reply."</snippet>

My guess is that the FPAD (Flash Proxy Auto-Discovery) is doing much the 
same thing?  Looking through Macromedia's site didn't offer much by way 
of what it's actually doing, though it did sound like it was a way for a 
flash player to figure out which server or servers to download flash 
content from.

As for why the DHCP server is barfing on these messages, not sure.

Curt



Charles Steinkuehler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> I'm running the ISC dhcp server from Debian stable (sarge), and am
> getting the following odd log messages from the DHCP server:
> 
> Mar 16 09:38:51 furious dhcpd: DHCPINFORM from 4.0.0.0 via eth4: unknown
> subnet 0.0.0.0
> 
> There are no other interesting log entries nearby, so I fired up tcpdump
> to listen to dhcp traffic until I caught some of the offending packets
> (example below).  Of particular interest (to my limited DHCPINFORM
> understanding) are the embedded strings:
> 
>   Macromedia Flash Proxy Auto-Discovery
>   uri=rtmp://fcs.doubleclick.net:80/ondemand5
> 
> Google searches have turned up a few others reporting seeing the same
> log message, but no good hits on either of the embedded content strings.
> 
> Anyone got an idea what spews these packets, and/or why the dhcp server
> is barfing on them?
> 
> Full packet capture follows:
> 
> <tcpdump>
> 
> 23:58:38.532317 IP (tos 0x0, ttl 128, id 29869, offset 0, flags [none],
> length: 397) 10.28.18.100.4048 > 255.255.255.255.67: [udp sum ok]
> BOOTP/DHCP, Request, length: 369, htype-#0, hlen:0,
> xid:0x6e665d77, flags: [none] (0x0000)
>           Vendor-rfc1048:
> 
> VO:116.97.103.61.102.112.97.100.114.101.113.59.116.105.109.101.115.116.97.109.112.61.57.53.56.48.55.52.55.56.54.59.122.111.110.101.61.48.59.117.114.105.61.114.116.109.112.58.47.4
> 7.102.99.115.46.100.111.117.98.108.101.99.108.105.99.107.46.110.101.116.58.56.48.47.111.110.100.101.109.97.110.100
>     DHCP:INFORM
>     PR:VO
>     VC:"Macromedia Flash Proxy Auto-Discovery"
> 0x0000:  ffff ffff ffff 00e0 295a f60f 0800 4500  ........)Z....E.
> 0x0010:  018d 74ad 0000 8011 a833 0a1c 1264 ffff  ..t......3...d..
> 0x0020:  ffff 0fd0 0043 0179 8c50 0100 0000 6e66  .....C.y.P....nf
> 0x0030:  5d77 0000 0000 0000 0000 0000 0000 0000  ]w..............
> 0x0040:  0000 0000 0000 0000 0000 0000 0000 0000  ................
> 0x0050:  0000 0000 0000 0000 0000 0000 0000 0000  ................
> 0x0060:  0000 0000 0000 0000 0000 0000 0000 0000  ................
> 0x0070:  0000 0000 0000 0000 0000 0000 0000 0000  ................
> 0x0080:  0000 0000 0000 0000 0000 0000 0000 0000  ................
> 0x0090:  0000 0000 0000 0000 0000 0000 0000 0000  ................
> 0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
> 0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
> 0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
> 0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
> 0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
> 0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000  ................
> 0x0100:  0000 0000 0000 0000 0000 0000 0000 0000  ................
> 0x0110:  0000 0000 0000 6382 5363 2b51 7461 673d  ......c.Sc+Qtag=
> 0x0120:  6670 6164 7265 713b 7469 6d65 7374 616d  fpadreq;timestam
> 0x0130:  703d 3935 3830 3734 3738 363b 7a6f 6e65  p=958074786;zone
> 0x0140:  3d30 3b75 7269 3d72 746d 703a 2f2f 6663  =0;uri=rtmp://fc
> 0x0150:  732e 646f 7562 6c65 636c 6963 6b2e 6e65  s.doubleclick.ne
> 0x0160:  743a 3830 2f6f 6e64 656d 616e 6435 0108  t:80/ondemand5..
> 0x0170:  3701 2b3c 254d 6163 726f 6d65 6469 6120  7.+<%Macromedia.
> 0x0180:  466c 6173 6820 5072 6f78 7920 4175 746f  Flash.Proxy.Auto
> 0x0190:  2d44 6973 636f 7665 7279 ff              -Discovery.
> </tcpdump>
> 
> - --
> Charles Steinkuehler
> cstein at newtek.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
> 
> iD8DBQFEGaNnenk4xp+mH40RAuyaAJwLRMeukh+4OmMd5DtatYA3iVMEngCePLBP
> 0xv1/pXKDdJWPEuSxZDKHN0=
> =FYdl
> -----END PGP SIGNATURE-----
> 
> 
> ______________________________________________________________________
> This e-mail has been scanned by MCI Managed Email Content Service, using Skeptic(tm) technology powered by MessageLabs. For more information on MCI's Managed Email Content Service, visit http://www.mci.com.
> ______________________________________________________________________

______________________________________________________________________
This e-mail has been scanned by MCI Managed Email Content Service, using Skeptic(tm) technology powered by MessageLabs. For more information on MCI's Managed Email  Content Service, visit http://www.mci.com.
______________________________________________________________________

More information about the dhcp-users mailing list