origin of bootp requests - TCP-IP

This is a discussion on origin of bootp requests - TCP-IP ; Hello, I apologize if this is a wrong group for the following question, in which case I would appreciate directing me to a more appropriate place. For the last two monthes, I see an increasing number of bootp broadcast udp ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: origin of bootp requests

  1. origin of bootp requests

    Hello,

    I apologize if this is a wrong group for the following question, in
    which case I would appreciate directing me to a more appropriate
    place.

    For the last two monthes, I see an increasing number of bootp
    broadcast udp request on the segment of my home network between the
    gateway machine and ADSL modem. The mac address from which requests
    originate does not match network interfaces neither on ADSL modem nor
    on the gateway machine.

    What can it be? How can I pinpoint the origin of those requests?

    Cheers, Pasha.


  2. Re: origin of bootp requests

    On Aug 27, 5:49 am, Pasha Zusmanovich wrote:
    > Hello,
    >
    > I apologize if this is a wrong group for the following question, in
    > which case I would appreciate directing me to a more appropriate
    > place.
    >
    > For the last two monthes, I see an increasing number of bootp
    > broadcast udp request on the segment of my home network between the
    > gateway machine and ADSL modem. The mac address from which requests
    > originate does not match network interfaces neither on ADSL modem nor
    > on the gateway machine.
    >
    > What can it be? How can I pinpoint the origin of those requests?
    >
    > Cheers, Pasha.


    Don't routers contain code to forward bootp requests? Such requests
    should get a new MAC address as they leave the gateway, though. Do the
    requests continue if you power down the ADSL modem? Then they must
    originate in the gateway. Do the MAC addresses match any other
    machines on your LAN? Do they stop if you disconnect the modem from
    the WAN? Do the requests exist on the LAN side? If they come from
    beyond the modem, that might indicate some carelessness at the ISP, I
    suppose. Is any of this a problem?

    Daniel Feenberg


  3. Re: origin of bootp requests

    On Aug 30, 11:38 am, feenb...@gmail.com wrote:
    > On Aug 27, 5:49 am, Pasha Zusmanovich wrote:
    >
    > > Hello,

    >
    > > I apologize if this is a wrong group for the following question, in
    > > which case I would appreciate directing me to a more appropriate
    > > place.

    >
    > > For the last two monthes, I see an increasing number of bootp
    > > broadcast udp request on the segment of my home network between the
    > > gateway machine and ADSL modem. The mac address from which requests
    > > originate does not match network interfaces neither on ADSL modem nor
    > > on the gateway machine.

    >
    > > What can it be? How can I pinpoint the origin of those requests?




    Thanks for the reply.

    > Don't routers contain code to forward bootp requests? Such requests
    > should get a new MAC address as they leave the gateway, though.


    Hm, interesting, I missed this possibility. Is that a common practice
    (to assign a new MAC address)? Why it is done? According to what
    algorithm this new MAC address is assigned?

    > Do the
    > requests continue if you power down the ADSL modem? Then they must


    I don't know. As the requests occur irregularly, to make a reliable
    conclusion, I should sit a considerably long time (probably few days)
    without internet connection, what I don't want to do. And I am pretty
    sure this does not originate on my internal network (see below).

    > originate in the gateway. Do the MAC addresses match any other
    > machines on your LAN?


    No.

    > Do they stop if you disconnect the modem from
    > the WAN?


    Same as above.

    > Do the requests exist on the LAN side?


    No.

    > If they come from
    > beyond the modem, that might indicate some carelessness at the ISP, I
    > suppose.


    I think so. Since the original post, I tried to dig a bit further. The
    tcpdump output of intercepted packets looks like this:

    20:29:01.063780 IP (tos 0x0, ttl 128, id 6, offset 0, flags [none],
    proto UDP (1
    7), length 328) 0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok]
    BOOTP/DHCP
    , Request from 00:02:96:05:a5:6c (oui Unknown), length 300, xid
    0xfeacebc9, Flag
    s [none] (0x0000)
    Client-Ethernet-Address 00:02:96:05:a5:6c (oui Unknown)
    Vendor-rfc1048 Extensions
    Magic Cookie 0x63825363
    DHCP-Message Option 53, length 1: Discover
    NOAUTO Option 116, length 1: Y
    Client-ID Option 61, length 7: ether 00:02:96:05:a5:6c
    Requested-IP Option 50, length 4: 169.254.29.32
    Hostname Option 12, length 8: "DFYW8G1J"
    Vendor-Class Option 60, length 8: "MSFT 5.0"
    Parameter-Request Option 55, length 11:
    Subnet-Mask, Domain-Name, Default-Gateway, Domain-Name-
    Server
    Netbios-Name-Server, Netbios-Node, Netbios-Scope, Router-
    Discovery
    Static-Route, Option 249, Vendor-Option

    So those are DHCP requests, noot BOOTP ones. This, plus some googling,
    suggests this is a faulty behavior of Microsoft (RAS?) servers.

    I am planning to install DHCP server and try to give it a lease to
    catch it.

    > Is any of this a problem?


    Probably not, but I am paranoid.

    > Daniel Feenberg




  4. Re: origin of bootp requests

    Pasha Zusmanovich writes:

    > On Aug 30, 11:38 am, feenb...@gmail.com wrote:
    >> On Aug 27, 5:49 am, Pasha Zusmanovich wrote:
    >>
    >> Don't routers contain code to forward bootp requests? Such requests
    >> should get a new MAC address as they leave the gateway, though.

    >
    > Hm, interesting, I missed this possibility. Is that a common practice
    > (to assign a new MAC address)? Why it is done? According to what
    > algorithm this new MAC address is assigned?


    Many routers can be configured with a DHCP server's IP address. When
    they receive a DHCP request, they forward it to the configured server.

    > So those are DHCP requests, noot BOOTP ones.


    Generally speaking, these day "DHCP" and "BOOTP" are used
    interchangeably, although once in a while one needs to consider ancient
    code that actually does speak BOOTP and not its extension, DHCP.

    -don

+ Reply to Thread