1: .TH DHCDROP 8 "18/08/2009"
2: .SH NAME
3: dhcdrop \- program for searching and suppress false DHCP servers in Ethernet.
4: .SH SYNOPSIS
5: .BI "dhcdrop
6: .RB [ " \-h "]
7: .RB [ " \-D "]
8: .RB [ " \-t "]
9: .RB [ " \-y "]
10: .RB [ " \-r "]
11: .RB [ " \-b "]
12: .RB [ " \-a "]
13: .RB [ " \-A "]
14: .RB [ " \-f "]
15: .RB [ " \-R "]
16: .RB [ " \-q "]
17: .LP
18: .RB [ " \-m "
19: .I count
20: ]
21: .RB [ " \-c "
22: .I count
23: ]
24: .RB [ " \-n "
25: .I hostname
26: ]
27: .RB [ " \-N "
28: .I clientname
29: ]
30: .RB [ " \-p "
31: .I port
32: ]
33: .RB [ " \-P "
34: .I port
35: ]
36: .RB [ " \-w "
37: .I seconds
38: ]
39: .LP
40: .RB [ " \-T "
41: .I timeout
42: ]
43: .RB [ " \-M "
44: .I max-hosts-scan
45: ]
46: .RB [ " \-l "
47: .I MAC-address
48: ]
49: .RB [ " \-L "
50: .I network
51: ]
52: .RB [ " \-S "
53: .I network/mask
54: ]
55: .RB [ " \-F "
56: .I from-IP
57: ]
58: .LP
59: .RB [ " \-s "
60: .I server-IP
61: ]
62: .RB [ " \-C "
63: .I children count (2 - 32)
64: ]
65: .LP
66: .RB [ " \initial-MAC-address " ]
67: .RB < " \-i "
68: .I interface-name|interface-index
69: >
70: .LP
71: .SH DESCRIPTION
72: Suppressing DHCP server is made by
73: .B dhcdrop
74: with a help of an attack DHCP
75: starvation or with a help of flooding with DHCPDISCOVER messages.
76: Look for details below. Besides dhcdrop can be used as a diagnostical
77: tool and stress-testing when setting and developing DHCP servers
78: .SH OPTIONS
79: .TP
80: .B "-h"
81: prints help-message and also codes of program's return.
82: .TP
83: .B "-D"
84: list of available network interfaces. Format - index:name.
85: .TP
86: .B "-t"
87: test mode. Using this mode
88: .B dhcdrop
89: does not execute suppression of server. DHCPDISCOVER is being sent.
90: If the answer comes to it from the non\-ignored server then the program is
91: completes returning code 200 and printing the string:
92: .IP
93: DHCP SRV: 10.7.7.1 (IP-hdr: 10.7.7.1) SRV ether: 00:02:44:75:77:E4, YIP: 10.7.7.205
94: .IP
95: which consists of the MAC address of found false DHCP server.
96: .TP
97: .B "-y"
98: answer 'yes' to all questions.
99: .TP
100: .B "-r"
101: disable ethernet address randomize. Every further source MAC address differs from previous for 1.
102: .TP
103: .BI "-b"
104: points on necessity of using flag
105: .B BROADCAST
106: in DHCP packets sent.
107: .TP
108: .B "-a"
109: always wait for server's response to default DHCP client port (68) even if a
110: number of client's port set differs from default value.
111: .TP
112: .B "-A"
113: always wait for server's response from default DHCP server port (67),
114: even if a number of client's port set differs from default value.
115: .TP
116: .B "-f"
117: flood mode with DHCPDISCOVER requests. SHOULD BE USED ATTENTIVELY.
118: It is convenient for stress-testing of the server.
119: In case of using option
120: .B "-r"
121: all the packets sent have the same MAC address.
122: .TP
123: .BI "-R"
124: send DHCPRELEASE from source MAC address specified by
125: .B "<initial MAC address>"
126: and IP address specified by option
127: .B "-F"
128: to server specified by option
129: .B "-s"
130: .
131: .TP
132: .B "-q"
133: quiet mode.
134: .TP
135: .BI "-m" " count"
136: maximum number of attempts to receive answer from DHCP server. (default: 5).
137: .TP
138: .BI "-c" " count"
139: maximum number of receiving addresses from DHCP server (default: 255).
140: .TP
141: .BI "-n" " hostname"
142: value of DHCP-option 'HostName' (default: 'DHCP-dropper').
143: .TP
144: .BI "-N" " clientname"
145: value of DHCP-option 'Vendor-Class' (default: 'DHCP-dropper').
146: .TP
147: .BI "-p" " port"
148: set client port value (default: 68).
149: .TP
150: .BI "-P" " port"
151: set server port value (default: 67).
152: .TP
153: .BI "-w" " seconds"
154: set timeout after which the process will be restarted when using
155: agressive mode (see option
156: .B "-L"
157: ) (default: 60 secs).
158: .TP
159: .BI "-T" " timeout"
160: set timeout of waiting server response in seconds (default: 3).
161: .TP
162: .BI "-M" " maximum-hosts"
163: maximum number of hosts scanned if agressive mode used (option -L).
164: .TP
165: .BI "-l" " MAC-address"
166: ethernet address of DHCP server which need to ignore.
167: May be several servers. Need option
168: .B -l
169: for each server.
170: .TP
171: .BI "-L" " legal-network"
172: specify legal network(s) on interfase. May be
173: several networks. If this parameter is set, dhcdrop
174: uses agressive mode: it scans address range assigned
175: by DHCP server for searching hosts with incorrect addresses,
176: sends DHCPRELEASE to server from every found host after
177: this it restarts process of receiving addreses. Need option
178: .B -L
179: for each network.
180: .TP
181: .BI "-S" " network/mask"
182: ARP-scan for network 'network' with network mask 'mask' (CIDR notation).
183: Source IP address for scanning specified by option
184: .B -F
185: .
186: If source IP is not set - using random IP address from network address range.
187: .TP
188: .BI "-F" " source-ip"
189: source IP for scanning network or sending DHCPRELEASE (see option
190: .B -S
191: and
192: .B -R
193: ).
194: .TP
195: .BI "-s" " server-ip-adress"
196: specify DHCP server IP address. Used with option
197: .B -R
198: .
199: .TP
200: .BI "-C" " count"
201: children number (default: 0, minimal value: 2, maximum: 32). Compatible only with flag
202: .B -f
203: .
204: .TP
205: .B "initial-MAC-address"
206: specify source MAC address for sending first DHCP message.
207: If address not set - used random value.
208: .TP
209: .BI "-i" " interface"
210: defines network interface, can be name or index (cannot be 'any').
211: For listing available interfaces use option
212: .B -D
213: .
214: .SH THEORETICAL BASICS
215: In DHCP protocol there is an option which specifies duration of leasing an IP address
216: (Lease Time). During this time DHCP server gives IP address for client's use.
217: After this time period a client have to make an attempt to refresh IP address
218: for the purpose of extension the lease. For the server giving out IP address in
219: lease means that during the lease this IP address can be given only to an owner
220: of the lease and nobody else. Identification of clients is usually done by the
221: server on the ground of MAC address. Usually every server has a pool of dynamic
222: IP addresses. These are addresses which are not assigned to concrete MAC addresses
223: and are given dynamically after any client's request. Pool on SOHO routers with
224: default settings is not very big - from tens to about 200 addresses. In case
225: of using software which performs the function of DHCP server the size of the pool
226: is defined by the one who sets. If the pool of addresses is over then DHCP server
227: ignores the requests from new clients (probably documenting this in logs).
228: Actually it's not in action.
229:
230: Thereby in case of appearance false DHCP they can be supressed rather easy.
231: It's necessary to receive lease for every IP address available on this server
232: sending requests from unique clients every time. The more Lease Time is in server
233: settings, the bigger period of DHCP server suppression in case of exhaustion of
234: dynamical pool is. For most of SOHO routers Lease time comes to a number of days
235: or even weeks. In case of using WinGate, dhcpd and other similar soft as DHCP
236: server the lease time depends on the fantasy of the man who launched false DHCP server.
237: .SH PRINCIPLE OF DHCDROP OPERATION
238: The program opens the interface specified in command line options using promiscuous
239: mode then forms DHCP message (DHCPDISCOVER) using random source MAC address
240: (if another conduct isn't specified) and sends it to the interface:
241:
242: .nf
243: 01:58:04.681600 00:70:de:3b:b9:05 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800),
244: length 342: (tos 0x10, ttl 64, id 33964, offset 0, flags [none],
245: proto UDP (17), length 328)
246: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:70:de:3b:b9:05,
247: length 300, xid 0xcc1cfc5c, Flags [none]
248: Client-Ethernet-Address 00:70:de:3b:b9:05
249: Vendor-rfc1048 Extensions
250: Magic Cookie 0x63825363
251: DHCP-Message Option 53, length 1: Discover
252: Parameter-Request Option 55, length 3:
253: Domain-Name-Server, Default-Gateway, Subnet-Mask
254: Hostname Option 12, length 12: "DHCP-dropper"
255: Vendor-Class Option 60, length 12: "DHCP-dropper"
256: Client-ID Option 61, length 7: ether 00:70:de:3b:b9:05
257: .fi
258:
259: After this it starts to wait for server's answer (DHCPOFFER). If the answer with
260: offering IP address lease is received then the next DHCP message (DHCPREQUEST)
261: is send to the interface. On this message server answers with DHCPACK-packet
262: which confirms the possibility of using the IP address by a client.
263: This completes the operation of receiving IP address suggested by the server.
264: The program changes source MAC address and sends DHCPDISCOVER again.
265: After that all the above operations of receiving the lease of a new
266: IP address are repeated. It's worth paying attention that the program
267: changes not only the client's MAC address in DHCP message but also the
268: MAC address in the header of Ethernet-frame. This possibility brings the work
269: of the program maximally nearer to the work of real DHCP client (and also
270: allows to avoid DHCP snooping).
271:
272: Cycle of receiving IP addresses from server comes to an end when the maximum
273: number of IP addresses set by the option is received or in case of exhausting
274: dynamical pool of the server. In the second case you gained a victory.
275: In the first case if you have an aim to reject the DHCP server then there
276: is a point to set another value of maximum number of leased address option.
277: .SH USAGE OF THE PROGRAM
278: \fIInterfaces listing\fP
279: .sp
280: First of all it's necessary to understand how the network interface,
281: where there is DHCP server, is called. This is easy to understand in UNIX-like OS
282: by outputting ifconfig command. But in Windows OS it is not so evident.
283: Because of this let's launch the program with
284: .B -D
285: option first of all:
286:
287: .nf
288: C:\>dhcdrop -D
289: Available interfaces:
290: 1:\\Device\\NPF_GenericDialupAdapter
291: descr: Adapter for generic dialup and VPN capture
292: 2:\\Device\\NPF_{0C796DB5-22D9-46AB-9301-9C7ADC2304AF}
293: descr: ZyXEL GN650 1000Base-T Adapter (Microsoft's Packet Scheduler)
294: iaddr: 192.168.1.2/24 bcast: 255.255.255.255
295: iaddr: 10.7.7.7/24 bcast: 255.255.255.255
296: .fi
297:
298: According to the output information it's evident that we need the second interface.
299: As an argument for program's option
300: .B -i
301: any index of the second interface or its name
302: .B "\\\\Device\\\\NPF_{0C796DB5-22D9-46AB-9301-9C7ADC2304AF}"
303: can be set. To my mind it's more easy to use index and to launch the
304: program with pointing index instead of a name. For example:
305: .B dhcdrop -i 2
306:
307: \fIInteractive mode, by default\fP
308: .sp
309: The easiest way of using the program for searching and choosing the rejected
310: server manually:
311:
312: .nf
313: $ sudo dhcdrop -i eth1
314: Using interface: 'eth1'
315: Got response from server 10.7.7.1 (IP-header 10.7.7.1), server ethernet address: 00:02:44:75:77:E4, lease time: 1.1h (3960s)
316: Got BOOTREPLY (DHCPOFFER) for client ether: 00:16:09:D8:CF:60 You IP: 10.7.7.201/24
317: Drop him? [y/n] n
318: Searching next server...
319: Got response from server 192.168.1.1 (IP-header 192.168.1.1), server ethernet address: 00:1E:2A:52:C8:CA, lease time: 24h (86400s)
320: Got BOOTREPLY (DHCPOFFER) for client ether: 00:16:09:D8:CF:60 You IP: 192.168.1.2/24
321: Drop him? [y/n] y
322: 1. Got BOOTREPLY (DHCPACK) for client ether: 00:16:09:D8:CF:60 You IP: 192.168.1.2/24
323: 2. Got BOOTREPLY (DHCPACK) for client ether: 00:A2:FA:12:41:F7 You IP: 192.168.1.3/24
324: 3. Got BOOTREPLY (DHCPACK) for client ether: 00:56:EA:F8:1C:B0 You IP: 192.168.1.4/24
325: 4. Got BOOTREPLY (DHCPACK) for client ether: 00:EA:91:1A:C8:A8 You IP: 192.168.1.5/24
326: 5. Got BOOTREPLY (DHCPACK) for client ether: 00:83:8A:25:C7:1C You IP: 192.168.1.6/24
327: 6. Got BOOTREPLY (DHCPACK) for client ether: 00:CA:A7:FF:C1:70 You IP: 192.168.1.7/24
328: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
329: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
330: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
331: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
332: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
333: Finished.
334: .fi
335:
336: As it's seen from the example when receiving an answer from DHCP server
337: .B dhcdrop
338: reports information from the server about given IP address and asks of necessity
339: to suppress this server. Receiving a negative answer it goes on searching for
340: servers in the network ignoring the server discovered before. In case of
341: receiving a positive answer it starts a process for rejecting the server with a
342: method shown above.
343:
344: \fIAutomatical suppresion mode of all the servers except the legitimate one\fP
345: .sp
346: In case of knowing (and usually we know) MAC address of the legal DHCP server in our
347: network the operation of suppressing illegal servers can be simplified:
348:
349: .nf
350: $ sudo dhcdrop -i eth1 -y -l 00:02:44:75:77:E4
351: Using interface: 'eth1'
352: Got response from server 192.168.1.1 (IP-header 192.168.1.1), server ethernet address: 00:1E:2A:52:C8:CA, lease time: 24h (86400s)
353: Got BOOTREPLY (DHCPOFFER) for client ether: 00:37:C5:10:BE:16 You IP: 192.168.1.2/24
354: 1. Got BOOTREPLY (DHCPACK) for client ether: 00:37:C5:10:BE:16 You IP: 192.168.1.2/24
355: 2. Got BOOTREPLY (DHCPACK) for client ether: 00:94:26:88:33:BD You IP: 192.168.1.3/24
356: 3. Got BOOTREPLY (DHCPACK) for client ether: 00:E5:AC:7B:79:BB You IP: 192.168.1.4/24
357: <skipped>
358: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
359: Finished.
360: .fi
361:
362: In this version of using
363: .B dhcdrop
364: rejects any server except that ones states with
365: .B -l
366: option without asking additional questions (due to using option
367: .B -y
368: ).
369:
370: \fITest mode\fP
371: .sp
372: Test mode (
373: .B -t
374: ) is comfortable to use for execution the program from code in computer-aided mode.
375: An example of the simplest code is below:
376:
377: .nf
378: 00 #!/bin/bash
379: 01 LEGAL_SERVER="00:11:22:33:44:55"
380: 02 DROPPER="/usr/sbin/dhcdrop"
381: 03 IFNAME="eth1"
382:
383: 04 $DROPPER -i $IFNAME -t -l $LEGAL_SERVER -m 3
384:
385: 05 if [ $? = 200 ]
386: 06 then
387: 07 echo Illegal server found\! Dropping him\!
388: 08 $DROPPER -i eth1 -l $LEGAL_SERVER -y
389: 09 else
390: 10 echo Illegal server not found.
391: 11 fi
392: .fi
393:
394: In the forth line launching of
395: .B dhcdrop
396: is being executed in a test mode with setting an option of legal DHCP server
397: for the network (
398: .B -l
399: ), an option of testing (
400: .B -t
401: ) and an option of setting maximum number of attempts of sending DHCPDISCOVER
402: in mode of searching the server (
403: .B -m).
404: If there is no answer for all the requests been sent then the program
405: ends with 0 code. If there is answer for the server without
406: .B -l
407: option then the program ends with 200 code which leads to the further
408: launching of the program with options describing suppression of any DHCP server
409: in the network except the legal one.
410:
411: \fIUsage of aggressive mode for receiving addresses\fP
412: .sp
413: As you can guess from the description of DHCP protocol - if a client received
414: the configuration from illegal DHCP server then the server wouldn't give
415: this configuration iteratively to another client until the period of lease expires.
416: So a simple exhaustion of IP addresses' pool won't save clients who have already
417: received incorrect configuration. The server will give these addresses only to
418: the clients who requested them initially and will ignore requests from
419: .B dhcdrop
420: . When trying to refresh the address once more the clients will receive
421: information from illegal DHCP server again and it would be continued until
422: illegal DHCP server switched off. For solving such a problem there were added
423: the aggressive mode of receiving IP addresses in dhcdrop starting with version 0.5.
424: It is activated with
425: .B -L
426: option which points a legitimate IP subnet for the given Etherner segment of the network.
427: Here is the algorithm of its operation:
428: .B dhcdrop
429: launches an ordinary mode of suppression and exhausts the whole IP addresses'
430: pool of illegal DHCP server. Analyzes the first DHCPOFFER received from illegal
431: DHCP, with a help of the network mask and client's IP address given out by the
432: server receives the address of IP network attended by this server.
433: Launches ARP-scanning of received subnet for the purpose of exposing hosts
434: which received incorrect configurational information, default number of scanned
435: hosts is limited to 512 (can be changed with
436: .B -M
437: option), some servers gives out configurational set with a mask /8 which
438: conforms to approximately 16 million of hosts - scanning of such an address range
439: will take a lot of time. Sends messages DHCPRELEASE to the DHCP server from every
440: found host (except the server itself). Waits 60 seconds
441: (default value can be changed with
442: .B -w
443: option), after then restarts the process of receiving IP addresses.
444: As an example let's launch
445: .B dhcdrop
446: with the same options as in the previous example but
447: additionally state legal IP network 10.7.7.0:
448:
449: .nf
450: $ sudo dhcdrop -i eth1 -y -l 00:02:44:75:77:E4 -L 10.7.7.0
451: Using interface: 'eth1'
452: Got response from server 192.168.1.1 (IP-header 192.168.1.1), server ethernet address: 00:1E:2A:52:C8:CA, lease time: 24h (86400s)
453: Got BOOTREPLY (DHCPOFFER) for client ether: 00:BC:BF:D6:39:2E You IP: 192.168.1.5/24
454: 1. Got BOOTREPLY (DHCPACK) for client ether: 00:BC:BF:D6:39:2E You IP: 192.168.1.5/24
455: 2. Got BOOTREPLY (DHCPACK) for client ether: 00:FB:E7:A4:19:EC You IP: 192.168.1.6/24
456: 3. Got BOOTREPLY (DHCPACK) for client ether: 00:CB:44:F9:A8:6F You IP: 192.168.1.7/24
457: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
458: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
459: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
460: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
461: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
462: Trying to use agressive mode.
463: Starting ARP scanning network in range: 192.168.1.0 - 192.168.1.255...
464: Illegal DHCP server perhaps assigned IP adresses to the following hosts:
465: 1. Received ARP-reply from: 00:1e:2a:52:c8:ca (192.168.1.1) - itself DHCP server.
466: 2. Received ARP-reply from: 00:03:ff:15:52:90 (192.168.1.3)
467: 3. Received ARP-reply from: 00:03:ff:14:52:90 (192.168.1.4)
468: 4. Received ARP-reply from: 00:a0:c5:30:52:90 (192.168.1.200)
469: Sending DHCPRELEASE for invalid clients:
470: Send DHCPRELEASE for host 00:03:ff:15:52:90 (192.168.1.3).
471: Send DHCPRELEASE for host 00:03:ff:14:52:90 (192.168.1.4).
472: Send DHCPRELEASE for host 00:a0:c5:30:52:90 (192.168.1.200).
473: Restart dropping DHCP server after 60 seconds timeout...
474: 1. Got BOOTREPLY (DHCPACK) for client ether: 00:BC:BF:D6:39:2E You IP: 192.168.1.5/24
475: 2. Got BOOTREPLY (DHCPACK) for client ether: 00:F1:32:14:60:A3 You IP: 192.168.1.3/24
476: 3. Got BOOTREPLY (DHCPACK) for client ether: 00:2D:1C:80:ED:12 You IP: 192.168.1.4/24
477: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
478: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
479: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
480: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
481: Wait DHCPOFFER timeout. Resending DHCPDISCOVER.
482:
483: WARNING: Failed to take away all the IP addresses assigned by DHCP server.
484: Perhaps DHCP server checks availability of IP addresses by sending ARP-request
485: before assigning them. Try to restart dhcpdrop later. If it doesn't help
486: try to disconnect problem hosts temporarily, then send manually DHCPRELEASE
487: from address of this hosts (use option -R) and restart dhcdrop.
488:
489: Finished.
490: .fi
491:
492: Explanation of the program operation's results.
493:
494: After outputting the inscription "Trying to use aggressive mode" ARP-scanning of subnet,
495: serviced by illegal DHCP server in the stated range, starts.
496: As a result 4 hosts are found including the DHCP server itself (the first host).
497: Then dhcdrop sends DHCPRELEASE message to the server 192.168.1.1 from addresses
498: (Ethernet & IP) of all the hosts found in the subnet except DHCP server itself and stops
499: execution for 60 seconds. Timeout is necessary because some DHCP servers hold giving out
500: IP addresses to a new client during little period of time after receiving DHCPRELEASE from
501: a previous client. In case of necessity timeout's value can be changed with
502: .B -w
503: option. On the expiry of timeout dhcdrop launches the process of receiving released IP addresses.
504: We succeeded in receiving IP addresses 192.168.1.5 (it was received initially when
505: starting the program), 192.168.1.3 and 192.168.1.4. The last two addresses were
506: successfully released by the server after receiving DHCPRELEASE messages generated by
507: dhcdrop. Failed to receive the address 192.168.1.200, in spite of presence of this host
508: in the network, and the fact that from its address DHCPRELEASE message was send. One of
509: the reasons of failure was described in warning in the end of the program's output:
510: DHCP server before giving out the addresses can check if the host with the requested IP
511: address exists and only after this it can give out the address if such a host is absent
512: in the network. If not, a new lease for this address will not be given out. In this
513: situation switching off the problem hosts fron the network manually and sending DHCPRELEASE
514: messages from these hosts' addresses to the server (see an example below) can be helpful.
515: After this it's necessary to restart the process of receiving IP addresses.
516: But in our case the problem isn't hidden here. The host 192.168.1.200 has a statically set
517: IP address and because of this it has never requested the configuration from DHCP server.
518: The necessity itself of stating the legal network for launching the aggressive mode is
519: necessary to check of the address range given out by illegal DHCP server crosses the
520: address range of the subnet where it was discovered. If the address ranges cross each
521: other then ARP-scanning will be done with the hosts, which have the correct configuration
522: and will output the incorrect information. Because of this in case of discovering crossing
523: of the address ranges aggressive mode will not be launched.
524:
525: \fISending DHCPRELEASE message\fP
526: .sp
527: You will probably have a necessity to send DHCPRELEASE message manually. For example,
528: because of the reason mentioned in the previous example. You can do it with a help of
529: .B -R
530: option:
531:
532: .nf
533: $ sudo dhcdrop -i eth1 -R -s 192.168.1.1 -F 192.168.1.4 00:2D:1C:80:ED:12
534: Using interface: 'eth1'
535: Send DHCPRELEASE from 00:2D:1C:80:ED:12 client IP 192.168.1.4 to DHCP server 192.168.1.1
536: Finished.
537: .fi
538:
539: Option
540: .B -s
541: sets server's IP address,
542: .B -F
543: set DHCP client's IP address, 00:2D:1C:80:ED:12 set client's Ethernet address.
544: As a result such a sort of packet will be send in the network:
545: .nf
546:
547: 16:13:43.887735 00:2d:1c:80:ed:12 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342:
548: (tos 0x10, ttl 64, id 29807, offset 0, flags [none], proto UDP (17), length 328)
549: 0.0.0.0.68 > 192.168.1.1.67: BOOTP/DHCP, Request from 00:2d:1c:80:ed:12,
550: length 300, xid 0xb2f04a28, Flags [none]
551: Client-IP 192.168.1.4
552: Client-Ethernet-Address 00:2d:1c:80:ed:12
553: Vendor-rfc1048 Extensions
554: Magic Cookie 0x63825363
555: DHCP-Message Option 53, length 1: Release
556: Server-ID Option 54, length 4: 192.168.1.1
557: Client-ID Option 61, length 7: ether 00:2d:1c:80:ed:12
558: .fi
559:
560: \fIScanning the network's segment\fP
561: .sp
562: You can use ARP-scanning of the network for searching clients who received incorrect configurational information. It is realized with a help of
563: .B -S
564: option:
565:
566: .nf
567: $ dhcdrop -i eth1 -S 192.168.1.0/24
568: Using interface: 'eth1'
569: Starting ARP-scanning for subnet 192.168.1.0/24.
570: IP address range 192.168.1.0 - 192.168.1.255.
571: WARNING: Source IP is not set (use option -F).
572: Using random value for source IP address: 192.168.1.195
573: 1. Received ARP-reply from: 00:1e:2a:52:c8:ca (192.168.1.1).
574: 2. Received ARP-reply from: 00:a0:c5:30:52:90 (192.168.1.200).
575: Finished.
576: .fi
577:
578: According to the warning, which was printed by the program, when launching, the source
579: IP address wasn't set. Because of this dhcdrop chooses a random IP address from address
580: range of a stated subnet. If you need to set a source address then use
581: .B -F
582: option. For this kind of scanning factual settings of routing in your network aren't
583: important. Interface set by an option
584: .B -i
585: will always be used accepting that hosts of the
586: mentioned subnet are in the same Ethernet segment with the host where dhcdrop
587: is being launched. Also this option allows to discover duplication of IP addresses in
588: the same segment of the network even if the scanning is being done from the host
589: which IP address is being duplicated by another host.
590: .SH AUTHOR
591: This program was written by Roman Chebotarev <roma@ultranet.ru>
592: .SH REPORTING BUGS
593: Any bugs/remarks/suggestions/wishes concerning this program please send to
594: <roma@ultranet.ru>
595: .SH MAN FILE
596: Guidance page was made by Andrew Clark <andyc@altlinux.org>,
597: basing on the articles of the author of the program,
598: web page http://www.netpatch.ru/en/dhcdrop.html
599: .SH TRANSLATION
600: The translation from Russian into English was made by Anna Makhtinger <mailmnoo@rambler.ru>
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to dhcdrop.8 CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / dhcdrop / man