BOOTP/DHCP Malformed

ic.nssip ic.nssip at
Tue May 22 16:03:12 UTC 2012

Hi Glenn,

At some point I thought it is a problem with Wireshark DHCP Dissector, but I 
couldn't find anything which said that such a bug was ever found or/and 

Thank you,

----- Original Message ----- 
From: "Glenn Satchell" <glenn.satchell at>
To: "Users of ISC DHCP" <dhcp-users at>
Sent: Sunday, May 20, 2012 4:23 AM
Subject: Re: BOOTP/DHCP Malformed

>I seem to recall this was a known problem with particular older microsoft
> clients where the seconds elapsed field is not written in network byte
> order. There was a patch put to the list, but don't recall if this was
> ever rolled into ISC dhcpd to recognise the reversed bytes and reverse
> them internally.
> See:
> and
> Due to the nature of the bug, and widespread distribution in the client
> base, I doubt that this is the real cause of your problem.
> regards,
> -glenn
>> Hello,
>> I have a strange situation here because Wireshark reports a lot of Notes
>> for Malformed DHCP Requests coming from users on our network. The details
>> for one messege look like this:
>> Severity: Note
>> Group: Malformed
>> Chats: BOOTP/DHCP
>> Details: Seconds elapsed (4) appears to be encoded as little-endian
>> Bootstrap Protocol
>>     Message type: Boot Request (1)
>>     Hardware Type: Ethernet
>>     Hardware address length: 6
>>     Hops: 1
>>     Transaction ID: 0x207572a1
>> Seconds elapsed: 4
>>     [Expert Info (Note/Malformed): Seconds elapsed (4) appears to be
>> encoded as little-endian]
>>     [Message: Seconds elapsed (4) appears to be encoded as little-endian]
>>     [Severity level: Note]
>>     [Group: Malformed]
>> Bootp flags: 0x8000 (Broadcast)
>>     Client IP address: (
>>     Next server IP address: (
>>     Relay agent IP address: x.y.z.w (x.y.z.w) [replaced for
>> confidentiality]
>>     Client MAC address: AsustekC_62:e4:5b (00:22:15:62:e4:5b)
>> Client hardware address padding: 00000000000000000000
>> Server host name not given
>> Boot file name not given
>> Would anyone be so kind to let me know what is causing the "Malformed"
>> detection and what can we do in order to fix this issue.
>> We use Sandvine for subscribers mapping and their DPI engine has
>> dificulties to correct map the dynamic assigned IPs due to these 
>> Malformed
>> DHCP packets.
>> Thank you in advance for any answer that can help us fix this problem,
>> Julian_______________________________________________
>> dhcp-users mailing list
>> dhcp-users at
> _______________________________________________
> dhcp-users mailing list
> dhcp-users at

More information about the dhcp-users mailing list