BOOTP/DHCP Malformed

Glenn Satchell glenn.satchell at
Sun May 20 11:23:55 UTC 2012

I seem to recall this was a known problem with particular older microsoft
clients where the seconds elapsed field is not written in network byte
order. There was a patch put to the list, but don't recall if this was
ever rolled into ISC dhcpd to recognise the reversed bytes and reverse
them internally.


Due to the nature of the bug, and widespread distribution in the client
base, I doubt that this is the real cause of your problem.


> Hello,
> I have a strange situation here because Wireshark reports a lot of Notes
> for Malformed DHCP Requests coming from users on our network. The details
> for one messege look like this:
> Severity: Note
> Group: Malformed
> Details: Seconds elapsed (4) appears to be encoded as little-endian
> Bootstrap Protocol
>     Message type: Boot Request (1)
>     Hardware Type: Ethernet
>     Hardware address length: 6
>     Hops: 1
>     Transaction ID: 0x207572a1
> Seconds elapsed: 4
>     [Expert Info (Note/Malformed): Seconds elapsed (4) appears to be
> encoded as little-endian]
>     [Message: Seconds elapsed (4) appears to be encoded as little-endian]
>     [Severity level: Note]
>     [Group: Malformed]
> Bootp flags: 0x8000 (Broadcast)
>     Client IP address: (
>     Next server IP address: (
>     Relay agent IP address: x.y.z.w (x.y.z.w) [replaced for
> confidentiality]
>     Client MAC address: AsustekC_62:e4:5b (00:22:15:62:e4:5b)
> Client hardware address padding: 00000000000000000000
> Server host name not given
> Boot file name not given
> Would anyone be so kind to let me know what is causing the "Malformed"
> detection and what can we do in order to fix this issue.
> We use Sandvine for subscribers mapping and their DPI engine has
> dificulties to correct map the dynamic assigned IPs due to these Malformed
> DHCP packets.
> Thank you in advance for any answer that can help us fix this problem,
> Julian_______________________________________________
> dhcp-users mailing list
> dhcp-users at

More information about the dhcp-users mailing list