Hi all,
I captured some DHCP traffic using DHCP AUTH (option 90 - see
RFC3118) using tcpdump on a Linux device and was then trying to view
it from wireshark (0.99.4) on Windows. The problem is I'm getting some
warnings on the option length, and I think they are wrong.
Here's an excerpt from the exported text file:
Option: (t=53,l=1) DHCP Message Type = DHCP Discover
Option: (53) DHCP Message Type
Length: 1
Value: 01
...
Option: (t=90,l=13) Authentication length isn't >= 31
Option: (90) Authentication
Length: 13
Value: 010100C9D208C46B8B070F0000
Protocol: delayed authentication (1)
Algorithm: HMAC_MD5 (1)
Replay Detection Method: Monotonically-increasing counter (0)
RDM Replay Detection Value: c9d208c46b8b070f
Now, there's a message (warning?) on the first line in the option 90
dump saying the option length isn't >= 31. This is a DHCPDISCOVER
message. However, if you check the format of the option in
DHCPDISCOVER messages, and count the bytes (section 5.2 in RFC3118),
the actual length should be 11, not 31.
Then, I was using a router configured to send back a dummy option 90.
Here's what I get for the reply:
Option: (t=53,l=1) DHCP Message Type = DHCP Offer
Option: (53) DHCP Message Type
Length: 1
Value: 02
...
Option: (t=90,l=4) Authentication length isn't >= 11
Option: (90) Authentication
Length: 4
Value: ...
Now that's interesting. I think whoever made the validation swapped
the limits between DHCPDISCOVER and DHCPOFFER & co. Here the length
(at least for HMAC-MD5 authentication) should be 31.
I can provide a capture file, if necessary. Of course, I was assuming
the messages (and validation) come from wireshark, if tcpdump is to
blame...
# tcpdump --version
tcpdump version 3.9.4
libpcap version 0.9.4
Thanks in advance,
Stefan