Find the answer to your Linux question:
Results 1 to 5 of 5
Hi, hopefully I'm not asking too stupid a question. I'm a 4 year linux hobbyist who has set up a Debian machine as a gateway/DHCP server. I updated today and ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2012
    Location
    Washington Coast
    Posts
    3

    Constant DHCP OFFER DHCP DECLINE on ISP Interface of DHCP Server


    Hi, hopefully I'm not asking too stupid a question. I'm a 4 year linux hobbyist who has set up a Debian machine as a gateway/DHCP server. I updated today and now notice a constant DHCP OFFER and DHCP DECLINE connection to what I assume is my ISP's DHCP server address.

    Sniffing in tshark gives me a steady stream of offers and declines followed by an ACK a fraction of a second pause and then the cycle starts again. I have had this Debian setup (several installs) for several years now and never noticed this behavior so I am unsure where to look.

    iftop shows a constant connection,

    255.255.255.255:bootpc => 10.X.X.X:bootps
    <=
    with all the bandwidth happening on the <= side.

    It exists only the external interface and doesn't originate from the inside network. Previously this connection was occasional and I want to know why it's bursting more frequently. I can connect to the internet from the internal network machines and the gateway so there's no service disruption and I have an external IP address.

    I am on a different machine so no logs, but I can produce them if you need them. Again, curious why it's bursting so frequently.

    Any insight would be greatly appreciated and I thank you for your time.

  2. #2
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    Hi there.

    I didn't try it but I find it interesting that iftop shows explicitly "bootpc" as the source port instead of "DHCP". That said, bootpc is a linux boot protocol client that tries to set up dns servers and other useful things. It maybe desired that a bootp client/server behaves like that. But it has a DHCP server incorporated and people are encouraged to use the much better supported dhcp package. If you're using the latter the bootp server/client could be a relict from a previous installation that should be removed?

    More assumptions of mine are:

    Either the client sends DHCPDISCOVER messages very frequently, the server bombards the client with DHCPOFFER messages without a reason or you have a dhcp server running that does stupid things to the ISP router (like offering him an IP address).

    Cheers

  3. #3
    Just Joined!
    Join Date
    May 2012
    Location
    Washington Coast
    Posts
    3
    Thanks for responding. The problem with being self taught is there are gaps in my knowledge. I do my best and usually prefer to read rather than ask (hence my low post count), but I'm still looking.

    *I checked /etc/dhclient.conf for anything weird but didn't see anything.
    *I checked resolve.conf and tried adding the address.
    */etc/default/isc-dhcp-server only lists (hands out addresses on) the internal interface.
    */etc/network/interfaces shows dhcp on eth0 (external) and eth1 (internal) as static.
    *I released and renewed dhclient.

    Still getting a fairly steady stream from that same 10.14.112.1 address. Relevant Tshark shows...

    Code:
    105.770898  10.14.112.1 -> 255.255.255.255 DHCP DHCP ACK      - Transaction ID 0x3ccb798b
    
    110.333066  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b85d
    110.340555  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b85d
    110.432678  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b85e
    110.440191  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b85e
    110.532816  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b85f
    110.540328  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b85f
    110.632963  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b860
    110.640464  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b860
    
    110.732577  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b861
    110.740104  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b861
    110.833222  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b862
    110.840236  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b862
    
    110.932851  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b863
    110.941373  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b863
    111.032492  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b864
    111.040523  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b864
    111.140668  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b865
    111.149150  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b865
    111.232778  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b866
    111.240278  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b866
    111.333405  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b867
    111.340415  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b867
    111.432537  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b868
    111.440056  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b868
    111.532676  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b869
    111.542190  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b869
    111.634819  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b86a
    111.644327  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b86a
    111.733451  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b86b
    111.740470  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b86b
    
    112.575106  10.14.112.1 -> 255.255.255.255 DHCP DHCP NAK      - Transaction ID 0x3a4eb010
    112.575303  10.14.112.1 -> 255.255.255.255 DHCP DHCP NAK      - Transaction ID 0x3a4eb010
    
    114.596851  10.14.112.1 -> 255.255.255.255 DHCP DHCP NAK      - Transaction ID 0x3a4eb010
    114.597244  10.14.112.1 -> 255.255.255.255 DHCP DHCP NAK      - Transaction ID 0x3a4eb010
    115.620232  10.14.112.1 -> 255.255.255.255 DHCP DHCP NAK      - Transaction ID 0x3a4eb010
    115.620429  10.14.112.1 -> 255.255.255.255 DHCP DHCP NAK      - Transaction ID 0x3a4eb010
    
    124.133771  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b86f
    124.141267  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b86f
    124.228869  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b870
    124.238384  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b870
    124.330509  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b871
    124.339523  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b871
    124.430156  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b872
    124.439164  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b872
    
    124.529273  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b873
    124.536798  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b873
    124.629917  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b874
    124.636929  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b874
    
    124.729041  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b875
    124.737569  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b875
    124.831191  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b876
    124.839200  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b876
    124.930322  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b877
    124.938840  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b877
    125.029975  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b878
    125.039988  10.14.112.1 -> 255.255.255.255 DHCP DHCP Decline  - Transaction ID 0x2238b878
    125.129107  10.14.112.1 -> 255.255.255.255 DHCP DHCP Offer    - Transaction ID 0x2238b879
    Is that specific to my machine or just "noise" that has for some reason increased?

    I'm probably being a dumbass, but if I am I would like to know why so I won't be in the future. Still can't figure out if it's something I'm doing or they're doing.
    Last edited by turbobutton; 05-14-2012 at 04:07 PM.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Engineer Kloschüssel's Avatar
    Join Date
    Oct 2005
    Location
    Italy
    Posts
    773
    Is that specific to my machine or just "noise" that has for some reason increased?
    I can't examine how debian behaves as I'm not running it. I use openwrt backfire (10.03) as router/firewall between the ISP and my computers. Running tcpdump on that like this (eth0.1 is the wan bridge):

    Code:
    ~# tcpdump -lenx -i eth0.1 -vv -s 1500 port 67 or port 68
    does not produce anything similar to your stuff. In fact it is really quiet, even though I don't believe my setup is comparable to yours.

    Starting a dhclient on my (ubuntu) computer resulted in this output on tcpdump:

    Code:
    20:42:39.969018 00:16:6f:ba:e4:c2 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:6f:ba:e4:c2, length 300
    	0x0000:  4510 0148 0000 0000 8011 3996 0000 0000
    	0x0010:  ffff ffff 0044 0043 0134 c308 0101 0600
    	0x0020:  1dbc 1500 0000 0000 0000 0000 0000 0000
    	0x0030:  0000 0000 0000 0000 0016 6fba e4c2 0000
    	0x0040:  0000 0000 0000 0000 0000 0000 0000 0000
    20:42:39.972190 00:26:18:39:f2:2a > 00:16:6f:ba:e4:c2, ethertype IPv4 (0x0800), length 344: 192.168.2.1.67 > 192.168.2.113.68: BOOTP/DHCP, Reply, length 302
    	0x0000:  4500 014a f9b5 0000 4011 fa2a c0a8 0201
    	0x0010:  c0a8 0271 0043 0044 0136 9648 0201 0600
    	0x0020:  1dbc 1500 0000 0000 0000 0000 c0a8 0271
    	0x0030:  c0a8 0201 0000 0000 0016 6fba e4c2 0000
    	0x0040:  0000 0000 0000 0000 0000 0000 0000 0000
    Strangely there are both client and server dhcp messages coming from 10.14.112.1 in your dump. I would expect that one host sends only one kind of dhcp messages, namely either one of:

    DHCPDISCOVER, DHCPREQUEST, DHCPRELEASE, DHCPDECLINE
    or
    DHCPOFFER, DHCPACK, DHCPNACK

    since the protocol looks mostly alike:



    In this flowchart is the DHCPDECLINE missing that you see often. That message is sent by the client on duplicate DHCPOFFER messages so that the client can signal the server that he did not accept the configuration offered.

    Is there anything strange set up in your firewall so that DHCP packets are forwarded / discarded somehow where they shouldn't?

    Cheers
    Last edited by Kloschüssel; 05-14-2012 at 07:45 PM.

  6. #5
    Just Joined!
    Join Date
    May 2012
    Location
    Washington Coast
    Posts
    3
    Hmm, well thanks again for your help. This might be a good opportunity to switch out some hardware and do a fresh install. It takes a couple hours though with configuring and auditing and I was hoping to avoid that.

    I'll post here if it persists.

    Also, any other thoughts, suggestions, or schooling won't be ignored...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •