Router sends packets on port 67 (bootps) to me.Huh?

robin_listas · June 27, 2015, 11:54am

Hi,

I’m not at my home, and I noticed this in the firewall log:


<0.4> 2015-06-27 10:16:01 minas-tirith kernel - - - [100802.967558] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= MAC=0c:……… SRC=192.168.1.1 DST=192.168.1.129 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=57005 PROTO=UDP SPT=67 DPT=68 LEN=308
<0.4> 2015-06-27 10:16:07 minas-tirith kernel - - - [100808.966225] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= MAC=0c:……… SRC=192.168.1.1 DST=192.168.1.129 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=57005 PROTO=UDP SPT=67 DPT=68 LEN=308

Port 67 is bootps, and 68 is bootps:


bootps             67/tcp       # Bootstrap Protocol Server  [Bill_Croft] [RFC951]
bootps             67/udp       # Bootstrap Protocol Server
bootpc             68/tcp       # Bootstrap Protocol Client  [Bill_Croft]
bootpc             68/udp       # Bootstrap Protocol Client  [Bill_Croft]

What could it be for? I mean, I know that it is for network bootstraping a machine, but what for would the router need it?

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

deano_ferrari · June 27, 2015, 12:19pm

It think it is related to normal DHCP traffic.

robin_listas · June 27, 2015, 12:34pm

On 2015-06-27 12:26, deano ferrari wrote:
>
> It think it is related to normal DHCP traffic.

I don’t see it in my own home router :-?

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

arvidjaar · June 27, 2015, 1:19pm

And what is 192.168.1.129? Is it server from which you post logs?

robin_listas · June 27, 2015, 1:44pm

On 2015-06-27 13:26, arvidjaar wrote:
>
> And what is 192.168.1.129? Is it server from which you post logs?

Oops, I forgot to say. Yes, it is the machine where I see the logs (and
gets the packets). And the 192.168.1.1 is the router.

Only that it is a laptop, and certainly doesn’t boot from network.
Unless… unless the BIOS (it is a Compaq) has that option and queries
the network on boot. But I get the firewall hit somewhat later than that.

I booted at 09:58:55, and the hit was 10:16:01. That’s about the time
the cron jobs would run, this is a 13.1 machine.

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

arvidjaar · June 27, 2015, 2:04pm

Ports 67 and 68 are used by BOOTP and DHCP and the first application is to obtain IP address and other information; it does not mean client wants to boot from network. As this is directed packet it should be reply from server to some client request. I am not sure whether DHCP server sends any unsolicited packet to client on its own. Sniffing traffic could probably tell more.

robin_listas · June 27, 2015, 8:07pm

On 2015-06-27 14:06, arvidjaar wrote:
>
> robin_listas;2717083 Wrote:
>> certainly doesn’t boot from network.
>
> Ports 67 and 68 are used by BOOTP and DHCP and the first application is
> to obtain IP address and other information; it does not mean client
> wants to boot from network. As this is directed packet it should be
> reply from server to some client request. I am not sure whether DHCP
> server sends any unsolicited packet to client on its own. Sniffing
> traffic could probably tell more.

I’ll try.

It can not be dhcp, as the firewall blocks it, yet dhcp works.
However, you are certainly in the right track, as the message log shows corresponding events:


<0.4> 2015-06-27 19:05:51 minas-tirith kernel - - - [113895.173874] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= MAC=……… SRC=192.168.1.1 DST=192.168.1.129 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=57005 PROTO=UDP SPT=67 DPT=68 LEN=308

And


<3.6> 2015-06-27 19:05:51 minas-tirith dhclient 28653 - -  DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 5
<3.6> 2015-06-27 19:05:51 minas-tirith dhclient 28653 - -  DHCPOFFER from 192.168.1.1
<3.6> 2015-06-27 19:05:56 minas-tirith dhclient 28653 - -  DHCPREQUEST on wlan0 to 255.255.255.255 port 67
<3.6> 2015-06-27 19:05:57 minas-tirith dhclient 28653 - -  DHCPACK from 192.168.1.1
<3.5> 2015-06-27 19:05:57 minas-tirith dbus 1294 - -  [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
<3.6> 2015-06-27 19:05:57 minas-tirith dhclient 28653 - -  bound to 192.168.1.129 -- renewal in 1392 seconds.
<3.6> 2015-06-27 19:05:57 minas-tirith systemd 1 - -  Starting Network Manager Script Dispatcher Service...
<3.5> 2015-06-27 19:05:57 minas-tirith dbus 1294 - -  [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
<3.6> 2015-06-27 19:05:57 minas-tirith systemd 1 - -  Started Network Manager Script Dispatcher Service.

By the timestamp, it has to be “dhcp discover”

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

arvidjaar · June 27, 2015, 8:58pm

DHCPDISCOVER is broadcast by client and here is unicast from server to client. If anything, it seems to be rather DHCPOFFER. But packet trace would be interesting.

robin_listas · June 27, 2015, 11:38pm

On 2015-06-27 21:06, arvidjaar wrote:
>
> robin_listas;2717116 Wrote:
>>
>> By the timestamp, it has to be “dhcp discover”
>>
>
> DHCPDISCOVER is broadcast by client and here is unicast from server to
> client. If anything, it seems to be rather DHCPOFFER. But packet trace
> would be interesting.

I now have a wireshark capture. I have marked the packages, so I guess I
could save just that block. What would be the best format for pasting here?

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

arvidjaar · June 28, 2015, 8:49am

Original pcap would be the best.

robin_listas · June 28, 2015, 1:34pm

On 2015-06-28 08:56, arvidjaar wrote:
>
> Original pcap would be the best.

Seems to be binary, can’t paste here. I’ll try to upload to susepaste.


minas-tirith:~ # file capture.pcap
capture.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 262144)

Can’t upload.


An Error Was Encountered

Uploading failed!!!
Only gif|jpg|png|jpeg|svg files smaller then 1024k are allowed for this time interval. Allowed file size depends on expiration time.

It is not a photo, it is not text, so susepaste does not allow it.

I can just email it, it is 1236 bytes…

Mmm. I’ll try uuencode. Shows my age


cer@minas-tirith:~> uuencode /tmp/capture.pcap capture

cer@minas-tirith:~>

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

robin_listas · June 28, 2015, 4:24pm

On 2015-06-28 13:34, Carlos E. R. wrote:

> Mmm. I’ll try uuencode. Shows my age

Oh? Turned out empty on the web side

Here, then: http://susepaste.org/19816513

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

arvidjaar · June 28, 2015, 7:53pm

Well, apart from several ARP it shows expected


  3 293.390138  192.168.1.1 -> 192.168.1.129 DHCP 342 DHCP Offer    - Transaction ID 0xa902c778
  6 299.411448  192.168.1.1 -> 192.168.1.129 DHCP 342 DHCP ACK      - Transaction ID 0xa902c778

That’s all. What’s interesting, there is no response from client (I expect DHCPREQUEST from client, and there is no initial DHCPDISCOVER as well). May be it is due to wireshark filters you used.

So it looks like normal DHCP transaction. Why it gets logged, and more interestingly - how client gets these packets if they are apparently dropped by firewall - I do not know.

robin_listas · June 28, 2015, 8:08pm

On 2015-06-28 19:56, arvidjaar wrote:
>
> Well, apart from several ARP it shows expected
> Code:
> --------------------
>
> 3 293.390138 192.168.1.1 → 192.168.1.129 DHCP 342 DHCP Offer - Transaction ID 0xa902c778
> 6 299.411448 192.168.1.1 → 192.168.1.129 DHCP 342 DHCP ACK - Transaction ID 0xa902c778
> --------------------
>
>
> That’s all. What’s interesting, there is no response from client (I
> expect DHCPREQUEST from client, and there is no initial DHCPDISCOVER as
> well). May be it is due to wireshark filters you used.
>
> So it looks like normal DHCP transaction. Why it gets logged, and more
> interestingly - how client gets these packets if they are apparently
> dropped by firewall - I do not know.

Well, I could open the firewall to them; then I’d guess the client would
send the response. Unless there is another response that is not a tcp/ip
package at all, because at the start the client doesn’t have an IP to use.

Yes, the router is sending ARPs to the entire IP range, one by one, and
loop again. What I posted was the section of the event as seen in the
logs, and filtering capture by IP=router_IP.

I don’t know if it is viable to capture half an hour of everything
without limiting the capture filter :-?

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

arvidjaar · June 28, 2015, 9:07pm

Client did send requests DHCPDISCOVER and DHCPREQUEST, otherwise server had not sent replies. But client sends both of them as broadcasts.

Unless there is another response that is not a tcp/ip
package at all, because at the start the client doesn’t have an IP to use.

It is normal IP (not TCP obviously), but client sends them as broadcasts because it does not know anything about server yet. Server may send replies as broadcasts if client tells it to do so.

robin_listas · June 29, 2015, 1:24am

On 2015-06-28 21:16, arvidjaar wrote:

> It is normal IP (not TCP obviously), but client sends them as broadcasts
> because it does not know anything about server yet. Server may send
> replies as broadcasts if client tells it to do so.

I got a better capture, including all packages, not only those including the router address somewhere.

http://susepaste.org/14600937

Also, I opened the firewall to them, so now they are accepted, but reported:


<0.4> 2015-06-29 00:52:50 minas-tirith kernel - - - [146053.353014] SFW2-INext-ACC-TRUST IN=wlan0 OUT= MAC=……… SRC=192.168.1.1 DST=192.168.1.129 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=57005 PROTO=UDP SPT=67 DPT=68 LEN=308
<0.4> 2015-06-29 00:52:56 minas-tirith kernel - - - [146059.358319] SFW2-INext-ACC-TRUST IN=wlan0 OUT= MAC=……… SRC=192.168.1.1 DST=192.168.1.129 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=57005 PROTO=UDP SPT=67 DPT=68 LEN=308

Now, the strange thing is the firewall blocking that, and still working. And the important question for me is whether to leave the port open or not.

(each test requires me to hibernate the machine for an hour or two. It is then, about 15 minutes later or so, that I see the event)

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

lorenzodes · June 30, 2015, 2:48pm

the DHCP client uses raw sockets, it is not affected by a DROP rule in the INPUT / OUTPUT chains of netfilter.

robin_listas · June 30, 2015, 3:41pm

On 2015-06-30 14:56, lorenzodes wrote:
>
> the DHCP client uses raw sockets, it is not affected by a DROP rule in
> the INPUT / OUTPUT chains of netfilter.

Then please explain why the firewall does report it is dropping or
allowing them… You have the link to the capture data available for
study, if you wish.

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

lorenzodes · June 30, 2015, 4:06pm

There’s nothing to study, it’s well known, the ISC dhcp client uses raw sockets. This is why DHCP works. This is why, from logs, you can see inbound packets (i.e. from server to client) and not outbound packets.

Raw sockets bypass the TCP/IP stack and thus netfilter.