DHCP - rejecting bogus offer
-
Hello,
Ive been getting these msgs recently? any clue?
Oct 17 19:15:22 dhclient[11939]: rejecting bogus offer. Oct 17 19:15:22 dhclient[11939]: option option-97 (100) larger than buffer.Thanks.
F.
-
I guess you have a WAN-style interface that is using DHCP to get its IP from an upstream device.
A quick google of "DHCP option 97" leads to the RFC: http://tools.ietf.org/html/rfc4578
Search for "97" in that RFC4578 comes to a paragraph about "Client Machine Identifier Option Definition".
It sounds like some upstream device is replying to the DHCP request with a response that has invalid (too long) data. In the RFC it seems that there is (currently?) only 1 form of option 97, for a GUID. The option should be 97, 17, 0, 16-octet GUID. -
Hello Phil,
Aye aye, I guess Im not going to buy someone a gift from the INF catalog…. ;)
I did the same research but the lack of DHCP logging doenst help me to pin point the problem. Sniffing all, when I get the pcap of the com I might get more info on the bogus offer.
Cheers.
F.
-
So did you get pcap of the dhcp traffic? You should be able to this very simple with diag, packet capture on pfsense.. Then open it up in say wireshark and see the details of that option 97 and what is being sent out for discover and or requests, etc.
Option 97 is for PXE use is it not? I wouldn't think pfsense would be doing pxe?
-
Yea got the pcap…
Its from a DHCP offer malformed packet...where I didnt make the request. Sent on the broadcast (cable modem ISP) that hit my box.
Still investigating. Wrote some suricata rules, motitoring and capturing more...
F.
