[ previous ] [ next ] [ threads ]
 
 From:  Anders Hagman <anders dot hagman at netplex dot se>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] DHCPDECLINE
 Date:  Thu, 26 Mar 2009 09:30:08 +0100
Hi

The only thing I found was a device stealing the address.


> Hi,
>  
> I REALLY need your help with this one....
>  
> I have a wireless network. All accesspoints are sitting behind monowall
> (net5501 + embedded image). Most clients connect without problems. However,
> a few VISTA clients are unable to obtain an IP address vis monowall DHCP. 
>  
> If the VISTA machine is left connected, chances are, that the client will
> (temporarily) get an IP address after a day or two.  This is of course
> unacceptable. The problem only affects some VISTA machines.
>  
> I've tried just about everything - including VISTA registry fixes, disabling
> IPv6, adding broadcast flag to dhcpd.conf etc. etc. 
>   
> Below I've pasted a wireshark capture taken on one of the affected machines.
> For no apparent reason the VISTA Home Premium (SP1) declines the address.
> This loop continues endlessly. Please, Please, Please take a look at the
> below trace and let me know i you have any ideas regarding solving this
> problem.
> 
> Monowall is at 10.0.10.1 (mac 00:00:24:cb:1f:9e)
> Client has mac 00:15:af:30:bc:95
> 
> BR

> 
> 
> No.     Time            Source                Destination           Protocol
> Info
>      13 15:31:11.982579 0.0.0.0               255.255.255.255       DHCP
> DHCP Discover - Transaction ID 0x1df18178
>  
> Frame 13 (342 bytes on wire, 342 bytes captured)
> Ethernet II, Src: Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Internet Protocol, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255
> (255.255.255.255)
> User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
> Bootstrap Protocol
>  
> No.     Time            Source                Destination           Protocol
> Info
>      14 15:31:12.025251 Olicom_cb:1f:9e       Broadcast             ARP
> Who has 10.0.10.157?  Tell 10.0.10.1
>  
> Frame 14 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: Olicom_cb:1f:9e (00:00:24:cb:1f:9e), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination           Protocol
> Info
>      15 15:31:12.046721 10.0.10.1             255.255.255.255       DHCP
> DHCP Offer    - Transaction ID 0x1df18178
>  
> Frame 15 (342 bytes on wire, 342 bytes captured)
> Ethernet II, Src: Olicom_cb:1f:9e (00:00:24:cb:1f:9e), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Internet Protocol, Src: 10.0.10.1 (10.0.10.1), Dst: 255.255.255.255
> (255.255.255.255)
> User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68)
> Bootstrap Protocol
>  
> No.     Time            Source                Destination           Protocol
> Info
>      16 15:31:12.047595 0.0.0.0               255.255.255.255       DHCP
> DHCP Request  - Transaction ID 0x1df18178
>  
> Frame 16 (350 bytes on wire, 350 bytes captured)
> Ethernet II, Src: Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Internet Protocol, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255
> (255.255.255.255)
> User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
> Bootstrap Protocol
>  
> No.     Time            Source                Destination           Protocol
> Info
>      17 15:31:12.098901 10.0.10.1             255.255.255.255       DHCP
> DHCP ACK      - Transaction ID 0x1df18178
>  
> Frame 17 (342 bytes on wire, 342 bytes captured)
> Ethernet II, Src: Olicom_cb:1f:9e (00:00:24:cb:1f:9e), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Internet Protocol, Src: 10.0.10.1 (10.0.10.1), Dst: 255.255.255.255
> (255.255.255.255)
> User Datagram Protocol, Src Port: bootps (67), Dst Port: bootpc (68)
> Bootstrap Protocol
>  

Now the PC has the address 10.0.10.157 but should test the address with
a gratuitous ARP to assure that the address isn't used. It does not, it starts 
to  use the address for IGMP, LLMNR and DNS.

> No.     Time            Source                Destination           Protocol
> Info
>      18 15:31:12.126594 10.0.10.157           224.0.0.252           IGMP
> V2 Membership Report
>  
> Frame 18 (46 bytes on wire, 46 bytes captured)
> Ethernet II, Src: Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:00:00:fc (01:00:5e:00:00:fc)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 224.0.0.252
> (224.0.0.252)
> Internet Group Management Protocol
>  
> No.     Time            Source                Destination           Protocol
> Info
>      19 15:31:12.127938 10.0.10.157           224.0.0.252           UDP
> Source port: 58869  Destination port: 5355
>  
> Frame 19 (66 bytes on wire, 66 bytes captured)
> Ethernet II, Src: Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:00:00:fc (01:00:5e:00:00:fc)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 224.0.0.252
> (224.0.0.252)
> User Datagram Protocol, Src Port: 58869 (58869), Dst Port: 5355 (5355)
> Data (24 bytes)
>  
> 0000  38 cc 00 00 00 01 00 00 00 00 00 00 06 70 6f 75   8............pou
> 0010  6c 50 43 00 00 ff 00 01                           lPC.....
>  
> No.     Time            Source                Destination           Protocol
> Info
>      20 15:31:12.170162 10.0.10.157           239.255.255.250       IGMP
> V2 Membership Report
>  
> Frame 20 (46 bytes on wire, 46 bytes captured)
> Ethernet II, Src: Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:7f:ff:fa (01:00:5e:7f:ff:fa)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 239.255.255.250
> (239.255.255.250)
> Internet Group Management Protocol
>  
> No.     Time            Source                Destination           Protocol
> Info
>      21 15:31:12.181241 10.0.10.157           10.0.10.255           NBNS
> Registration NB POULPC<00>
>  
> Frame 21 (110 bytes on wire, 110 bytes captured)
> Ethernet II, Src: Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 10.0.10.255
> (10.0.10.255)
> User Datagram Protocol, Src Port: netbios-ns (137), Dst Port: netbios-ns
> (137)
> NetBIOS Name Service
>  
> No.     Time            Source                Destination           Protocol
> Info
>      22 15:31:12.208508 10.0.10.157           10.0.10.1             DNS
> Standard query A isatap.bogenseferiepark.local
>  
> Frame 22 (89 bytes on wire, 89 bytes captured)
> Ethernet II, Src: Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> Olicom_cb:1f:9e (00:00:24:cb:1f:9e)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 10.0.10.1
> (10.0.10.1)
> User Datagram Protocol, Src Port: 54173 (54173), Dst Port: domain (53)
> Domain Name System (query)
>  
> No.     Time            Source                Destination           Protocol
> Info
>      23 15:31:12.228246 10.0.10.157           224.0.0.252           UDP
> Source port: 58869  Destination port: 5355
>  
> Frame 23 (66 bytes on wire, 66 bytes captured)
> Ethernet II, Src: Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:00:00:fc (01:00:5e:00:00:fc)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 224.0.0.252
> (224.0.0.252)
> User Datagram Protocol, Src Port: 58869 (58869), Dst Port: 5355 (5355)
> Data (24 bytes)
>  
> 0000  38 cc 00 00 00 01 00 00 00 00 00 00 06 70 6f 75   8............pou
> 0010  6c 50 43 00 00 ff 00 01                           lPC.....
>  
> No.     Time            Source                Destination           Protocol
> Info
>      24 15:31:12.233147 Olicom_cb:1f:9e       Broadcast             ARP
> Who has 10.0.10.157?  Tell 10.0.10.1
>  
> Frame 24 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: Olicom_cb:1f:9e (00:00:24:cb:1f:9e), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination           Protocol
> Info
>      25 15:31:12.233166 Azurewav_30:bc:95     Olicom_cb:1f:9e       ARP
> 10.0.10.157 is at 00:15:af:30:bc:95
>  
> Frame 25 (42 bytes on wire, 42 bytes captured)
> Ethernet II, Src: Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> Olicom_cb:1f:9e (00:00:24:cb:1f:9e)
> Address Resolution Protocol (reply)
>  
> No.     Time            Source                Destination           Protocol
> Info
>      26 15:31:12.258990 10.0.10.1             10.0.10.157           DNS
> Standard query response, No such name
>  
> Frame 26 (89 bytes on wire, 89 bytes captured)
> Ethernet II, Src: Olicom_cb:1f:9e (00:00:24:cb:1f:9e), Dst:
> Azurewav_30:bc:95 (00:15:af:30:bc:95)
> Internet Protocol, Src: 10.0.10.1 (10.0.10.1), Dst: 10.0.10.157
> (10.0.10.157)
> User Datagram Protocol, Src Port: domain (53), Dst Port: 54173 (54173)
> Domain Name System (response)
>  
> No.     Time            Source                Destination           Protocol
> Info
>      27 15:31:12.287608 10.0.10.157           224.0.0.2             IGMP
> V2 Leave Group
>  
> Frame 27 (46 bytes on wire, 46 bytes captured)
> Ethernet II, Src: Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:00:00:02 (01:00:5e:00:00:02)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 224.0.0.2
> (224.0.0.2)
> Internet Group Management Protocol
>  
> No.     Time            Source                Destination           Protocol
> Info
>      28 15:31:12.289184 10.0.10.157           239.255.255.250       IGMP
> V2 Membership Report
>  
> Frame 28 (46 bytes on wire, 46 bytes captured)
> Ethernet II, Src: Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:7f:ff:fa (01:00:5e:7f:ff:fa)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 239.255.255.250
> (239.255.255.250)
> Internet Group Management Protocol
>  
> No.     Time            Source                Destination           Protocol
> Info
>      29 15:31:12.321030 10.0.10.157           224.0.0.2             IGMP
> V2 Leave Group
>  
> Frame 29 (46 bytes on wire, 46 bytes captured)
> Ethernet II, Src: Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:00:00:02 (01:00:5e:00:00:02)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 224.0.0.2
> (224.0.0.2)
> Internet Group Management Protocol
>  
> No.     Time            Source                Destination           Protocol
> Info
>      30 15:31:12.322368 10.0.10.157           239.255.255.250       IGMP
> V2 Membership Report
>  
> Frame 30 (46 bytes on wire, 46 bytes captured)
> Ethernet II, Src: Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:7f:ff:fa (01:00:5e:7f:ff:fa)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 239.255.255.250
> (239.255.255.250)
> Internet Group Management Protocol
>  
> No.     Time            Source                Destination           Protocol
> Info
>      31 15:31:12.326139 10.0.1.2              239.255.255.250       IGMP
> V2 Membership Query
>  
> Frame 31 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: Draytek_f0:17:c5 (00:50:7f:f0:17:c5), Dst:
> 01:00:5e:7f:ff:fa (01:00:5e:7f:ff:fa)
> Internet Protocol, Src: 10.0.1.2 (10.0.1.2), Dst: 239.255.255.250
> (239.255.255.250)
> Internet Group Management Protocol
>  
> No.     Time            Source                Destination           Protocol
> Info
>      32 15:31:12.359793 10.0.1.2              239.255.255.250       IGMP
> V2 Membership Query
>  
> Frame 32 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: Draytek_f0:17:c5 (00:50:7f:f0:17:c5), Dst:
> 01:00:5e:7f:ff:fa (01:00:5e:7f:ff:fa)
> Internet Protocol, Src: 10.0.1.2 (10.0.1.2), Dst: 239.255.255.250
> (239.255.255.250)
> Internet Group Management Protocol
>  

Now the Gratuitous ARP comes. Just one.

> No.     Time            Source                Destination           Protocol
> Info
>      33 15:31:12.480069 Azurewav_30:bc:95     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 33 (42 bytes on wire, 42 bytes captured)
> Ethernet II, Src: Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination           Protocol
> Info
>      34 15:31:12.480210 10.0.10.157           224.0.0.252           IGMP
> V2 Membership Report
>  
> Frame 34 (46 bytes on wire, 46 bytes captured)
> Ethernet II, Src: Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:00:00:fc (01:00:5e:00:00:fc)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 224.0.0.252
> (224.0.0.252)
> Internet Group Management Protocol
>  
> No.     Time            Source                Destination           Protocol
> Info
>      35 15:31:12.480245 10.0.10.157           239.255.255.250       IGMP
> V2 Membership Report
>  
> Frame 35 (46 bytes on wire, 46 bytes captured)
> Ethernet II, Src: Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst:
> 01:00:5e:7f:ff:fa (01:00:5e:7f:ff:fa)
> Internet Protocol, Src: 10.0.10.157 (10.0.10.157), Dst: 239.255.255.250
> (239.255.255.250)
> Internet Group Management Protocol
>  

Heres 9 Gratuitous ARP from bc:95:81:00:00:0f for the same IP address 
10.0.10.157. Who is  this? Does this device run DHCP? The OUI bc:95:81 is not 
valid.

> No.     Time            Source                Destination           Protocol
> Info
>      36 15:31:12.525878 bc:95:81:00:00:0f     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 36 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: bc:95:81:00:00:0f (bc:95:81:00:00:0f), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination           Protocol
> Info
>      37 15:31:12.533467 bc:95:81:00:00:0f     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 37 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: bc:95:81:00:00:0f (bc:95:81:00:00:0f), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination           Protocol
> Info
>      38 15:31:12.537248 bc:95:81:00:00:0f     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 38 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: bc:95:81:00:00:0f (bc:95:81:00:00:0f), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination           Protocol
> Info
>      39 15:31:12.539246 bc:95:81:00:00:0f     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 39 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: bc:95:81:00:00:0f (bc:95:81:00:00:0f), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination           Protocol
> Info
>      40 15:31:12.541225 bc:95:81:00:00:0f     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 40 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: bc:95:81:00:00:0f (bc:95:81:00:00:0f), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination           Protocol
> Info
>      41 15:31:12.543854 bc:95:81:00:00:0f     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 41 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: bc:95:81:00:00:0f (bc:95:81:00:00:0f), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination           Protocol
> Info
>      42 15:31:12.545738 bc:95:81:00:00:0f     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 42 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: bc:95:81:00:00:0f (bc:95:81:00:00:0f), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination           Protocol
> Info
>      43 15:31:12.547597 bc:95:81:00:00:0f     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 43 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: bc:95:81:00:00:0f (bc:95:81:00:00:0f), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
>  
> No.     Time            Source                Destination           Protocol
> Info
>      44 15:31:12.549569 bc:95:81:00:00:0f     Broadcast             ARP
> Who has 10.0.10.157?  Tell 0.0.0.0
>  
> Frame 44 (60 bytes on wire, 60 bytes captured)
> Ethernet II, Src: bc:95:81:00:00:0f (bc:95:81:00:00:0f), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Address Resolution Protocol (request)
> 

The first PC gives up and sends a decline.

> No.     Time            Source                Destination           Protocol
> Info
>      45 15:31:12.621206 0.0.0.0               255.255.255.255       DHCP
> DHCP Decline  - Transaction ID 0x1df18178
>  
> Frame 45 (342 bytes on wire, 342 bytes captured)
> Ethernet II, Src: Azurewav_30:bc:95 (00:15:af:30:bc:95), Dst: Broadcast
> (ff:ff:ff:ff:ff:ff)
> Internet Protocol, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255
> (255.255.255.255)
> User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
> Bootstrap Protocol
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
> 
> 

Look at the bc:95:81:00:00:0f-box.

BR
/Anders