[Kea-users] Kea DHCP forensic logging
Jim Springsteen
jim.springsteen at southslope.com
Wed Jan 29 14:44:43 UTC 2025
Darren,
I have been trying to use a customized response-parser-format, but I can't find good documentation on the options I can use to get all the DORA of the DHCP process.
This is what I have for the response-parser-format:
> "request-parser-format": "hexstring(pkt4.mac, ':') + ' / ' + addrtotext(pkt4.ciaddr) + ' / ' + relay4[1].hex + ' / ' + addrtotext(pkt4.giaddr)"
Do you have any suggestions on how I should alter the above command to get the entire DORA logging?
Thanks,
Jim Springsteen
Data Administrator
jim.springsteen at southslope.com | southslope.com
319-626-2211 main | 319-665-5334 direct
980 North Front St, North Liberty, IA 52317
-----Original Message-----
From: Kea-users <kea-users-bounces at lists.isc.org> On Behalf Of kea-users-request at lists.isc.org
Sent: Wednesday, January 29, 2025 6:00 AM
To: kea-users at lists.isc.org
Subject: Kea-users Digest, Vol 127, Issue 26
Send Kea-users mailing list submissions to
kea-users at lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mailman_listinfo_kea-2Dusers&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=id4thKZ4cnPfMJjYEfye3UIJQlg2-EHjb-jEReUtM2hj8URdoQJynRlNRK59RmKx&s=JeF6gcy1qwU0_n9lqu1bjaaAy-2W6soqDEcAAWSWliA&e=
or, via email, send a message with subject or body 'help' to
kea-users-request at lists.isc.org
You can reach the person managing the list at
kea-users-owner at lists.isc.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Kea-users digest..."
Today's Topics:
1. Re: Kea DHCP forensic logging (Darren Ankney)
----------------------------------------------------------------------
Message: 1
Date: Tue, 28 Jan 2025 21:07:02 -0500
From: Darren Ankney <https://urldefense.proofpoint.com/v2/url?u=http-3A__darren.ankney-40gmail.com&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=id4thKZ4cnPfMJjYEfye3UIJQlg2-EHjb-jEReUtM2hj8URdoQJynRlNRK59RmKx&s=r9HpK1I_3VjlqAgvYFxPJLuNYE1_JphqEqeRcnpDFfg&e=>
To: "Kea user's list" <kea-users at lists.isc.org>
Subject: Re: [Kea-users] Kea DHCP forensic logging
Message-ID:
<CAKabWHj78vuejQqLF9sUKV+EcT45vT+9fA+698cPbg5_fwJyrQ at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Hi Jim,
I think, if I recall correctly, that DISCOVER are not logged by the legal log. I think if you supply a customized response-parser-format, you'll see the option 82 from the OFFER logged.
Thank you,
Darren Ankney
On Tue, Jan 28, 2025 at 4:51?PM Jim Springsteen <jim.springsteen at southslope.com> wrote:
>
> After looking at the capture that is attached, I see that the
> information that I need logged is coming in as Option 82 suboption 9
> (vendor information)
>
> I did add a request-parser-format line ( see that below):
>
> "request-parser-format": "hexstring(pkt4.mac, ':') + ' / ' + addrtotext(pkt4.ciaddr) + ' / ' + relay4[1].hex + ' / ' + addrtotext(pkt4.giaddr)"
>
> With this I was able to get the info in the forensics log, but the discover comes across like this in the log:
>
> 2025-01-28 15:36:37 CST / 80:e8:2c:b0:fd:67 / 0.0.0.0 / /
> 198.49.62.1
>
> I don't see the info until I do a renewal of the dhcp client, then I see this:
>
> 2025-01-28 15:48:11 CST 80:e8:2c:b0:fd:67 / 67.55.241.229 /
> NLCOTest-E7-LAB:1/2/1/CXNK0029E3A6/g2 / 0.0.0.0
> 2025-01-28 15:48:12 CST 80:e8:2c:b0:fd:67 / 67.55.241.229 /
> NLCOTest-E7-LAB:1/2/1/CXNK0029E3A6/g2 / 0.0.0.0
> 2025-01-28 15:48:13 CST 80:e8:2c:b0:fd:67 / 67.55.241.229 /
> NLCOTest-E7-LAB:1/2/1/CXNK0029E3A6/g2 / 0.0.0.0
> 2025-01-28 15:48:16 CST 80:e8:2c:b0:fd:67 / 67.55.241.229 / /
> 198.49.62.1
>
> Thanks,
> Jim Springsteen
> Data Administrator
>
> jim.springsteen at southslope.com | southslope.com
> 319-626-2211 main | 319-665-5334 direct
> 980 North Front St, North Liberty, IA 52317
>
>
>
> -----Original Message-----
> From: Kea-users <kea-users-bounces at lists.isc.org> On Behalf Of
> kea-users-request at lists.isc.org
> Sent: Friday, January 24, 2025 5:08 AM
> To: kea-users at lists.isc.org
> Subject: Kea-users Digest, Vol 127, Issue 21
>
> Send Kea-users mailing list submissions to
> kea-users at lists.isc.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mai
> lman_listinfo_kea-2Dusers&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_C
> dpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmip
> C9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=p5ZWTGAj__nVQK
> LyURuyGtKss_U7SA-BwTIBCChQmLU&e= or, via email, send a message with
> subject or body 'help' to
> kea-users-request at lists.isc.org
>
> You can reach the person managing the list at
> kea-users-owner at lists.isc.org
>
> When replying, please edit your Subject line so it is more specific than "Re: Contents of Kea-users digest..."
>
>
> Today's Topics:
>
> 1. Re: Kea DHCP forensic logging (Darren Ankney)
> 2. Option 125 suboption 1 not send (DDFR | Ronald Blaas)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 23 Jan 2025 13:27:59 -0500
> From: Darren Ankney
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__darren.ankney-40g
> mail.com&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjT
> emB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmipC9uj3o92Bphlar4j-
> AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=vEWhZwXUHXKIXNAjOUG6E06cItvpVJo
> io5lABUSumNU&e=>
> To: "Kea user's list" <kea-users at lists.isc.org>
> Subject: Re: [Kea-users] Kea DHCP forensic logging
> Message-ID:
>
> <CAKabWHgxHf8KytQqziheo+EVxwTxZ8zdNiK1KS6-QGy_R7CpZQ at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi Jim,
>
> Could you provide a .pcap file showing the DORA exchange from some client that contains this option 82 data? I would like to see what is
> different. It should look something like this:
>
> 2025-01-23 17:58:28 UTC Address: 192.168.20.113 has been assigned for
> 8 hrs 0 mins 0 secs to a device with hardware address: hwtype=1
> d2:4d:e0:33:23:dc connected via relay at address: 192.168.20.1,
> identified by circuit-id: 69:67:63:30:2e:32:30 (igc0.20), context: {
> "ISC": { "relay-agent-info": { "sub-options": "0x0107696763302E3230" }
> } }
>
> Note that the ASCII of the circuit-id is shown in parenthesis
> following the hex circuit-id
>
> It is possible that yours is encoded differently? You might need to make a custom "request-parser-format", "response-parser-format", or both (see here:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__kea.readthedocs.io_en_kea-2D2.6.1_arm_hooks.html-23configuring-2Dthe-2Dforensic-2Dlogging-2Dhooks&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmipC9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=fiZM9XONPkioFDSDe1YuxvJJADWPJ6ikYq7Nt3tAmf0&e=).
> These use the same expression syntax as client-classification (see
> here: https://urldefense.proofpoint.com/v2/url?u=https-3A__kea.readthedocs.io_en_kea-2D2.6.1_arm_classify.html-23using-2Dexpressions-2Din-2Dclassification&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmipC9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=1xgvaNG7WfQPzwrwuilI9TMwpDJnkWYZN7QFf-CTRww&e=).
>
> Thank you,
> Darren Ankney
>
>
> On Tue, Jan 21, 2025 at 4:34?PM Jim Springsteen <jim.springsteen at southslope.com> wrote:
> >
> > Darren,
> >
> >
> >
> > I appreciate your response. I did follow the example and this is what I have in my config:
> >
> > "hooks-libraries": [
> >
> > {
> >
> > "library":
> > "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_legal_log.so",
> >
> > "parameters": {
> >
> > "path": "/var/log/kea",
> >
> > "base-name": "kea-forensic4"
> >
> > }
> >
> > },
> >
> > But in my kea-forensic4 log, I have this entry:
> >
> > ?identified by circuit-id: 00:04:00:00:00:06 and remote-id: 00:06:ac:3a:67:d6:de:f2?
> >
> >
> >
> > I have confirmed via tcpdump that the server is receiving a string of characters as the circuit ID from my access gear.
> >
> >
> >
> > I am not sure what I am missing.
> >
> >
> >
> > Thanks,
> >
> > Jim Springsteen
> >
> > Data Administrator
> >
> >
> >
> > jim.springsteen at southslope.com | southslope.com
> >
> > 319-626-2211 main | 319-665-5334 direct
> >
> > 980 North Front St, North Liberty, IA 52317
> >
> >
> >
> >
> > --
> > ISC funds the development of this software with paid support subscriptions. Contact us at https://urldefense.proofpoint.com/v2/url?u=https-3A__www.isc.org_contact_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmipC9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=bNr6vqQGNhS23OADO6UoVMTdGDV8ySW97vc_LF9cSOE&e= for more information.
> >
> > To unsubscribe visit https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mailman_listinfo_kea-2Dusers&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmipC9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=p5ZWTGAj__nVQKLyURuyGtKss_U7SA-BwTIBCChQmLU&e=.
> >
> > Kea-users mailing list
> > Kea-users at lists.isc.org
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_m
> > ai
> > lman_listinfo_kea-2Dusers&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A
> > _C
> > dpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrm
> > ip
> > C9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=p5ZWTGAj__nV
> > QK
> > LyURuyGtKss_U7SA-BwTIBCChQmLU&e=
>
>
> ------------------------------
>
> Message: 2
> Date: Fri, 24 Jan 2025 11:07:59 +0000
> From: DDFR | Ronald Blaas
> <https://urldefense.proofpoint.com/v2/url?u=http-3A__ronald.blaas-40dd
> fr.nl&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB
> 5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmipC9uj3o92Bphlar4j-Ajn
> DtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=buRwe0me-1ijUorvnGd-aaSqpAEEA2hn-E
> QWqasHrVw&e=>
> To: "kea-users at lists.isc.org" <kea-users at lists.isc.org>
> Subject: [Kea-users] Option 125 suboption 1 not send
> Message-ID:
>
> <AM9PR04MB858585936B5E37857BE75E558BE32 at AM9PR04MB8585.eurprd04.prod.ou
> tlook.com>
>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi all
>
> I must be forgetting something..
>
> I have 2 type of Genexis CPEs the 2410 and the 3410
>
> Configuring option125 sub 2 and 4 for the Genexis 3410 are working as
> planned
>
> But somehow I can't get the option125 sub1 working for the Genexis
> 2410
>
> Looking at a Wireshark I see that option125 isn't even sent to the client Looking in the kea dhcp log I do see that the client is a member of the correct client-class.
>
>
> I might be overlooking something.
>
> Anyone an idea?
>
> Relative config below:
> (kea-dhcp.conf)
> "option-def": [
> {
> "array": false,
> "code": 1,
> "name": "gaps",
> "space": "vendor-25167",
> "type": "string"
> },
> ......
>
> "client-classes": [
> {
> "name": "Genexis-Gaps",
> "test": "(substring(option[60].hex,0,6) == 'geneos')",
> "option-data": [
> {
> "name": "gaps",
> "space": "vendor-25167",
> "data": "s=xx.xx.xx.xx;v=108",
> "always-send": true
> }
> ]
> },
>
>
> Regards,
>
> Ronald
>
>
> -------------- next part -------------- An HTML attachment was
> scrubbed...
> URL:
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_pi
> permail_kea-2Dusers_attachments_20250124_0bdd0696_attachment.htm&d=DwI
> CAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXub
> Ueohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmipC9uj3o92Bphlar4j-AjnDtrIvexnKk8
> e9RtceaxgN3Ek5NJwFKjc_&s=ofKALBkbB4lInxE-pksibp_x11PCmcEStej-7XgAT7w&e
> =>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://urldefense.proofpoint.com/v2/url?u=https-3A__www.isc.org_contact_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmipC9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=bNr6vqQGNhS23OADO6UoVMTdGDV8ySW97vc_LF9cSOE&e= for more information.
>
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mai
> lman_listinfo_kea-2Dusers&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_C
> dpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmip
> C9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=p5ZWTGAj__nVQK
> LyURuyGtKss_U7SA-BwTIBCChQmLU&e=
>
>
> ------------------------------
>
> End of Kea-users Digest, Vol 127, Issue 21
> ******************************************
>
> ----------
>
> This email has been scanned for spam and viruses. Visit the following link to report this email as spam:
> https://moduscloud.cloud-protect.net/app/report_spam.php?mod_id=11&mod
> _option=logitem&report=1&type=easyspam&k=k1&payload=53616c7465645f5fe7
> b87a4130921b2e4070c1a0169470d5fdd4e2c864dc2655a39f2689c4ec6bc299460cb2
> 91b5b3418e6024294c0b2741576d2f0eeb34f753140c3058b3de2062c8c1d13aa950af
> 78034417c8dbe93d87d965e0a027e790ba36e8b5d2130353f2c06b7d4661ffd75c9767
> 7e48532ee2fe9c5ef3ab57926b21a6bcfebe2a66f7149a113b6751670b140104d25b87
> a974c19a5621249ad1ff5e
>
> [EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognize the sender and know the content is safe.
> --
> ISC funds the development of this software with paid support subscriptions. Contact us at https://urldefense.proofpoint.com/v2/url?u=https-3A__www.isc.org_contact_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=id4thKZ4cnPfMJjYEfye3UIJQlg2-EHjb-jEReUtM2hj8URdoQJynRlNRK59RmKx&s=PDZqTNtcgDPZEQO6T5ztI9D_ue0dYZ_FEbHXMnSdPsY&e= for more information.
>
> To unsubscribe visit https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mailman_listinfo_kea-2Dusers&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=id4thKZ4cnPfMJjYEfye3UIJQlg2-EHjb-jEReUtM2hj8URdoQJynRlNRK59RmKx&s=JeF6gcy1qwU0_n9lqu1bjaaAy-2W6soqDEcAAWSWliA&e=.
>
> Kea-users mailing list
> Kea-users at lists.isc.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mai
> lman_listinfo_kea-2Dusers&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_C
> dpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=id4thKZ4cnP
> fMJjYEfye3UIJQlg2-EHjb-jEReUtM2hj8URdoQJynRlNRK59RmKx&s=JeF6gcy1qwU0_n
> 9lqu1bjaaAy-2W6soqDEcAAWSWliA&e=
------------------------------
Subject: Digest Footer
_______________________________________________
ISC funds the development of this software with paid support subscriptions. Contact us at https://urldefense.proofpoint.com/v2/url?u=https-3A__www.isc.org_contact_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=id4thKZ4cnPfMJjYEfye3UIJQlg2-EHjb-jEReUtM2hj8URdoQJynRlNRK59RmKx&s=PDZqTNtcgDPZEQO6T5ztI9D_ue0dYZ_FEbHXMnSdPsY&e= for more information.
Kea-users mailing list
Kea-users at lists.isc.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mailman_listinfo_kea-2Dusers&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=id4thKZ4cnPfMJjYEfye3UIJQlg2-EHjb-jEReUtM2hj8URdoQJynRlNRK59RmKx&s=JeF6gcy1qwU0_n9lqu1bjaaAy-2W6soqDEcAAWSWliA&e=
------------------------------
End of Kea-users Digest, Vol 127, Issue 26
******************************************
----------
This email has been scanned for spam and viruses. Visit the following link to report this email as spam:
https://moduscloud.cloud-protect.net/app/report_spam.php?mod_id=11&mod_option=logitem&report=1&type=easyspam&k=k1&payload=53616c7465645f5f70e8e56eb381a2fd3644c318548c31b5db927f61713563b0539a1beb310502432d11d13ce4f166117fdf2f40b624775889ba465ce0897c17d9f18d771ab3f35c42228f3b4e0e568e13c48de895f4981fa5fb4043fc5e98f3d309f466183cb921899def3937a8a4b035fe8a8e3a58e070268764dd20da1b5406b8b643d2e96598a832ebc823a936ace9e457db7afe321691f4dd7bb814c8fb
[EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognize the sender and know the content is safe.
More information about the Kea-users
mailing list