Ask Your Question
0

DHCP request from a host to a DHCP server with the host having the same MAC address as that of the server

asked 2019-12-01 00:00:54 +0000

Macdan gravatar image

updated 2019-12-01 06:35:36 +0000

Hi guys,

please, I need help here.

I am going through a network capture file and I saw a DHCP interaction that I really don't understand and need someone to help explain it to me.

the DHCP server had its IP address and MAC address from the beginning of the package none of which was shared by another device on the network but in this interaction, a host sent about 5 un-replied DHCP requests to the DHCP server and what I noticed is that while the DHCP server's IP address is what has always been, the MAC address is now the same with that of the client sending the DHCP request. in order words, the DHCP server and host requesting for IP address have their IP addresses but both share the same MAC address which is the original MAC address of the client sending the DHCP request But other DHCP requests from other hosts in the network to the DHCP server has correct MAC address of the DHCP server and there are getting response from the DHCP server.

I am very confused here and don't know what to make of it. Someone should please explain this to me

The Captured File

edit retag flag offensive close merge delete

Comments

Can you remove any sensitive information and upload a capture?

Chuckc gravatar imageChuckc ( 2019-12-01 01:07:07 +0000 )edit

I do not have enough points to upload a file, I have edited the original post and added a link to th file in my google drive so you can download and check it out, thanks

Macdan gravatar imageMacdan ( 2019-12-01 06:31:29 +0000 )edit

Interesting tracefile, can you tell me how it was made? It seems to have been made in a (virtual?) test environment at the CSC department of DMU. However, some things do not make sense as there are no frames with ethernet padding while the frames of several hosts are too small to be captured on the network itself. If you can tell what kind of simulation software was run and how the captures were made within that environment, that would be interesting.

SYN-bit gravatar imageSYN-bit ( 2019-12-02 12:43:34 +0000 )edit

Sorry, I am responding to this late. from the date in the captured packets, this file was captured since 2015 and I sincerely don't know who did the capture, I was just given the file to analyze so it will be difficult for me to say how it was captured.

Macdan gravatar imageMacdan ( 2019-12-04 12:25:39 +0000 )edit

No problem, there is tons of interesting stuff in it. I might be using it in future classes of mine too!

SYN-bit gravatar imageSYN-bit ( 2019-12-04 20:39:08 +0000 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2019-12-01 09:06:59 +0000

Jaap gravatar image

The only thing that pops out is the DHCP client in 192.168.97.102, after the initial (DO)RA on the broadcast address, sends the Request to its own MAC address and never gets a reply. It does use the correct destination IP address for the server.

Note that these are all locally administered MAC addresses, e.g., on virtual machines.

edit flag offensive delete link more

Comments

But is it normal for a host to send a dhcp to its own Mac address and what could possibly have caused this?

Is it something that should be ignored or a suspicious activity that need to be investigated?

Macdan gravatar imageMacdan ( 2019-12-01 10:50:18 +0000 )edit

Check the arp cache (arp -a or arp -an on linux) on the client (192.168.97.102).
What entry does it have the dhcp server 192.168.97.250?

Chuckc gravatar imageChuckc ( 2019-12-01 16:10:21 +0000 )edit

I do not have access to the network or system then, the file was just sent to me to look at and analyze

Macdan gravatar imageMacdan ( 2019-12-01 22:00:28 +0000 )edit

Answer: No, this is not normal, because it doesn't work. The Request will not reach the Server. It's (probably) a software error.

Jaap gravatar imageJaap ( 2019-12-02 05:39:04 +0000 )edit

@Jaap Did you notice the shift from IP TTL = 64 to IP TTL = 128 between the answered packet and the unanswered packets? Maybe the unanswered ones were spoofed by another system. As we can not tell how the trace was made, we can't tell for sure where the packets came from.

SYN-bit gravatar imageSYN-bit ( 2019-12-04 20:40:31 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-12-01 00:00:54 +0000

Seen: 3,309 times

Last updated: Dec 01 '19