DHCP Option 43

asked 2019-09-19 16:27:15 +0000

b4dr4bb1t
1 ●1 ●1 ●1

So I have a DHCP server (Internet Systems Consortium DHCP Server 4.2.5) running on CentOS Linux release 7.6.1810 (Core). We deployed some Aruba Access Points (APs) but these APs cannot seem to get the correct Vendor-Option Option 43 from the server but I can see from tcpdump that DHCP server is giving the IP. Here's the Offer section of the DHCP transaction:

> 192.168.50.106.67 > 192.168.88.1.67: [bad udp cksum 0xcb91 -> 0x7838!] BOOTP/DHCP, Reply, length 340, hops 1, xid 0xf60a2647, Flags [none] (0x0000)
>       Your-IP 192.168.88.94
>       Gateway-IP 192.168.88.1
>       Client-Ethernet-Address 00:4e:35:c4:e3:d0
>       Vendor-rfc1048 Extensions
>         Magic Cookie 0x63825363
>         DHCP-Message Option 53, length 1: Offer
>         Server-ID Option 54, length 4: 192.168.50.106
>         Lease-Time Option 51, length 4: 28800
>         Subnet-Mask Option 1, length 4: 255.255.255.0
>         Default-Gateway Option 3, length 4: 192.168.88.1
>         Domain-Name-Server Option 6, length 12: 192.168.50.106,8.8.8.8,8.8.4.4
>         Domain-Name Option 15, length 12: "garnet.local"
>         BR Option 28, length 4: 192.168.88.255
>         Vendor-Option Option 43, length 4: 172.16.11.9
>         Vendor-Class Option 60, length 14: "ArubaInstantAP"
>         Agent-Information Option 82, length 14:
>           Circuit-ID SubOption 1, length 4: ^@^@^@^P
>           Remote-ID SubOption 2, length 6: M-^P M-B^W^OM-^@
>         END Option 255, length 0

I actually saved this capture and opened in Wireshark - can someone please explain why I got a decimal like in Option: 43 when viewing in Wireshark? Here's the Option: 43

Option: (43) Vendor-Specific Information (Aruba Instant AP)
    Length: 4
    Aruba Instant AP: \357\277\275\020\v\t
        Name Organisation: \357\277\275\020\v\t
        AMP IP Address: \357\277\275\020\v\t
        Password: \357\277\275\020\v\t
Option: (60) Vendor class identifier
    Length: 14



    Vendor class identifier: ArubaInstantAP
Option: (82) Agent Information Option
    Length: 14
    Option 82 Suboption: (1) Agent Circuit ID
        Length: 4
        Agent Circuit ID: 00000010
    Option 82 Suboption: (2) Agent Remote ID
        Length: 6
        Agent Remote ID: 9020c2170f80

And also, the garbled Circuit-ID and Remote-ID in tcpdump has a looks formatted okay value when viewing in Wireshark - can someone please explain what those values are?

Thank you!

edit retag flag offensive close merge delete

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2019-09-24 08:07:20 +0000

b4dr4bb1t
1 ●1 ●1 ●1

Hi,

I'm using Wireshark 3.0.4 64-bit. Here's the Hex dump of the Offer and ACK:

0000   ec 9b 8b f9 f2 d2 50 6b 8d 82 a9 4e 08 00 45 00
0010   01 70 d3 54 40 00 40 11 9c 04 ac 10 05 6a c0 a8
0020   58 01 00 43 00 43 01 5c cb 91 02 01 06 01 7e 1d
0030   31 03 00 00 00 00 00 00 00 00 c0 a8 58 5e 00 00
0040   00 00 c0 a8 58 01 00 4e 35 c4 e3 d0 00 00 00 00
0050   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0060   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0070   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00a0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00b0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00c0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00d0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00e0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00f0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0100   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0110   00 00 00 00 00 00 63 82 53 63 35 01 02 36 04 ac
0120   10 05 6a 33 04 00 00 70 80 01 04 ff ff ff 00 03
0130   04 c0 a8 58 01 06 0c ac 10 05 6a 08 08 08 08 08
0140   08 04 04 0f 0c 73 69 6e 67 65 78 2e 6c 6f 63 61
0150   6c 1c 04 c0 a8 58 ff 2b 04 ac 10 0b 09 3c 0e 41
0160   72 75 62 61 49 6e 73 74 61 6e 74 41 50 52 0e 01
0170   04 00 00 00 10 02 06 90 20 c2 17 0f 80 ff
0000   ec 9b 8b f9 f2 d2 50 6b 8d 82 a9 4e 08 00 45 00
0010   01 70 d3 97 40 00 40 11 9b c1 ac 10 05 6a c0 a8
0020   58 01 00 43 00 43 01 5c cb 91 02 01 06 01 7e 1d
0030   31 03 00 01 00 00 00 00 00 00 c0 a8 58 5e 00 00
0040   00 00 c0 a8 58 01 ...

(more)

edit flag offensive delete link

add a comment

answered 2019-09-20 11:25:56 +0000

SYN-bit

18344 ●9 ●301 ●255 https://SYN-b.it

Hmmm... this looks like a bug in the DHCP dissector to me. Are you able to share this DHCP packet in pcap format (or hex)? And which version of Wireshark were you using?

edit flag offensive delete link

Comments

Hi,

I don't have 60points yet; unable to upload a file. I can share the pcap to you - let me know how. Thank you.

b4dr4bb1t ( 2019-09-24 08:15:34 +0000 )edit

I was able to view the hex-data in Wireshark (File -> Import from Hex Dump) and got similar results.

According to https://www.arubanetworks.com/techdocs/ArubaOS_60/UserGuide/DHCP_Option_43.php, this option should show an IP address.

So I think there is a bug in the wireshark dissector for DHCP. Could you file a big report on https://bugs.wireshark.org with the hex data and the link from this comment?

SYN-bit ( 2019-09-24 14:34:58 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

DHCP Option 43

2 Answers

Comments

Your Answer

Question Tools

Stats

Related questions

DHCP Option 43 edit

2 Answers

Comments

Your Answer

Question Tools

Stats

Related questions

DHCP Option 43