| Subject: | Windows DHCP Server Responses |
I've been writing code to discover 'rogue' DHCP servers on the network. I'm in a development/support environment where many things get thrown on the network, including DHCP servers that block the legitimate corporate DHCP server.
I noticed while testing my code that if the DHCP server is a Windows server its response to a DHCPDISCOVER packet is sent to the the broadcast address *instead* of responding directly to the client. A Linux DHCP server (RH 6.2) responds exactly the way I would expect - directly to the client.
Following are examples of both. Notice specifically the daddr and dest in each for the RCVD packet.
Linux:
------
XMIT:
xid 73519259: saddr=0.0.0.0 daddr=255.255.255.255
src=00:02:a5:02:fc:61 dest=ff:ff:ff:ff:ff:ff op=1
RCVD:
xid 73519259:
73519259 ttl=16 saddr=10.20.30.40 daddr=10.20.30.41
src=00:a0:c9:20:64:6a dest=00:02:a5:02:fc:61 op=2
73519259 73519259
Windows:
--------
XMIT:
xid 94070834: saddr=0.0.0.0 daddr=255.255.255.255
src=00:d0:b7:1d:81:28 dest=ff:ff:ff:ff:ff:ff op=1
RCVD:
xid 94070834:
94070834 ttl=128 saddr=10.20.31.40 daddr=255.255.255.255
src=00:90:27:90:55:5b dest=ff:ff:ff:ff:ff:ff op=2
94070834 94070834
I modified the filter passed to the pcapinit call in DHCPClient.pm to include the broadcast address. That was sufficient for my purposes (seeing what server answers) but I don't know if that is sufficient for production use.
John