<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.19190">
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT size=2 face=Arial>Hello,</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>I have a strange situation here because Wireshark
reports a lot of Notes for Malformed DHCP Requests coming from users on our
network. The details for one messege look like this:</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>Severity: Note</FONT></DIV>
<DIV><FONT size=2 face=Arial>Group: Malformed</FONT></DIV>
<DIV><FONT size=2 face=Arial>Chats: BOOTP/DHCP</FONT></DIV>
<DIV><FONT size=2 face=Arial>Details: Seconds elapsed (4) appears to be encoded
as little-endian</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>Bootstrap Protocol</FONT></DIV>
<DIV><FONT size=2 face=Arial> Message type: Boot Request
(1)</FONT></DIV>
<DIV><FONT size=2 face=Arial> Hardware Type:
Ethernet</FONT></DIV>
<DIV><FONT size=2 face=Arial> Hardware address length:
6</FONT></DIV>
<DIV><FONT size=2 face=Arial> Hops: 1</FONT></DIV>
<DIV><FONT size=2 face=Arial> Transaction ID:
0x207572a1</FONT></DIV>
<DIV><FONT size=2 face=Arial>Seconds elapsed: 4</FONT></DIV>
<DIV><FONT size=2 face=Arial> [Expert Info (Note/Malformed):
Seconds elapsed (4) appears to be encoded as little-endian]</FONT></DIV>
<DIV><FONT size=2 face=Arial> [Message: Seconds elapsed (4)
appears to be encoded as little-endian]</FONT></DIV>
<DIV><FONT size=2 face=Arial> [Severity level:
Note]</FONT></DIV>
<DIV><FONT size=2 face=Arial> [Group: Malformed]</FONT></DIV>
<DIV><FONT size=2 face=Arial>Bootp flags: 0x8000 (Broadcast)</FONT></DIV>
<DIV><FONT size=2 face=Arial> Client IP address: 0.0.0.0
(0.0.0.0)</FONT></DIV>
<DIV><FONT size=2 face=Arial> Next server IP address: 0.0.0.0
(0.0.0.0)</FONT></DIV>
<DIV><FONT size=2 face=Arial> Relay agent IP address: x.y.z.w
(x.y.z.w) [replaced for confidentiality]</FONT></DIV>
<DIV><FONT size=2 face=Arial> Client MAC address:
AsustekC_62:e4:5b (00:22:15:62:e4:5b)</FONT></DIV>
<DIV><FONT size=2 face=Arial>Client hardware address padding:
00000000000000000000</FONT></DIV>
<DIV><FONT size=2 face=Arial>Server host name not given</FONT></DIV>
<DIV><FONT size=2 face=Arial>Boot file name not given</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>Would anyone be so kind to let me know what is
causing the "Malformed" detection and what can we do in order to fix this issue.
</FONT></DIV>
<DIV><FONT size=2 face=Arial>We use Sandvine for subscribers mapping and their
DPI engine has dificulties to correct map the dynamic assigned IPs due to these
Malformed DHCP packets.</FONT></DIV>
<DIV><FONT size=2 face=Arial></FONT> </DIV>
<DIV><FONT size=2 face=Arial>Thank you in advance for any answer that can help
us fix this problem,</FONT></DIV>
<DIV><FONT size=2 face=Arial>Julian</FONT></DIV></BODY></HTML>