(OK-HALF) To Find a Rogue DHCP Server—tcpdump/dhclient—nmap
nmap -sP 10.108.160.0/22
tcpdump -i enp13s0 -nev >> /tmp/rogue
++++++++++++++
Rogue DHCP Server MAC: c8:3a:35:11:70:00
All mac addresses starting with C8-3A-35 belong to the owner Tenda Technology Co.,
++++++++++++++
tcpdump -i enp13s0 -nev udp port 68 >> /tmp/rogue 2>&1 &
arping -i eth1 00:E0:29:XX:YY:ZZ
nmap -sP 192.168.0.0/24 >/dev/null && arp -an | grep c8:3a:35:11:70:00 | awk '{print $2}' | sed 's/[()]//g'
++++++++++++++ Tenda MAC address list
Vendor: TendaTec Mac address: C8:3A:35
++++++++++++++ TP-Link MAC address list
Vendor: Tp-LinkT Mac address: 00:19:E0
Vendor: Tp-LinkT Mac address: 00:1D:0F
Vendor: Tp-LinkT Mac address: 00:21:27
Vendor: Tp-LinkT Mac address: 00:23:CD
Vendor: Tp-LinkT Mac address: 00:25:86
Vendor: Tp-LinkT Mac address: 00:27:19
Vendor: Tp-LinkT Mac address: 40:16:9F
Vendor: Tp-LinkT Mac address: 54:E6:FC
Vendor: Tp-LinkT Mac address: 74:EA:3A
Vendor: Tp-LinkT Mac address: 94:0C:6D
Vendor: Tp-LinkT Mac address: B0:48:7A
Vendor: Tp-LinkT Mac address: D8:5D:4C
Vendor: Tp-LinkT Mac address: E0:05:C5
Vendor: Tp-LinkT Mac address: F4:EC:38
++++++++++++++++++++++++++++
+++++++++++++++++++异常
[root@localhost core]# tcpdump -i enp13s0 -nev udp port 68
tcpdump: listening on enp13s0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:56:13.405651 3c:97:0e:f0:b5:bb > c8:3a:35:11:70:00, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 64, id 56976, offset 0, flags [DF], proto UDP (17), length 328)
192.168.0.111.bootpc > 192.168.0.1.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0x292e3d42, Flags [none]
Client-IP 192.168.0.111
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Release
Server-ID Option 54, length 4: 192.168.0.1
08:56:23.516772 3c:97:0e:f0:b5:bb > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0xb5d8ea1c, Flags [none]
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Requested-IP Option 50, length 4: 192.168.0.111
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Classless-Static-Route
Domain-Name, Domain-Name-Server, Hostname, YD
YS, NTP, MTU, Option 119
Default-Gateway
08:56:23.526530 c8:3a:35:11:70:00 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 590: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
192.168.0.1.bootps > 192.168.0.111.bootpc: BOOTP/DHCP, Reply, length 548, xid 0xb5d8ea1c, Flags [none]
Your-IP 192.168.0.111
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Server-ID Option 54, length 4: 192.168.0.1
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 192.168.0.1
Domain-Name-Server Option 6, length 8: 192.168.0.1,192.168.0.1
MTU Option 26, length 2: 1500
08:56:23.526667 3c:97:0e:f0:b5:bb > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0xb5d8ea1c, Flags [none]
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Request
Server-ID Option 54, length 4: 192.168.0.1
Requested-IP Option 50, length 4: 192.168.0.111
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Classless-Static-Route
Domain-Name, Domain-Name-Server, Hostname, YD
YS, NTP, MTU, Option 119
Default-Gateway
08:56:23.536296 00:0f:e2:6a:09:78 > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0xe0, ttl 255, id 12000, offset 0, flags [none], proto UDP (17), length 328)
10.108.160.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb5d8ea1c, Flags [Broadcast]
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: NACK
Server-ID Option 54, length 4: 10.3.9.2
MSG Option 56, length 31: "requested address not available"
08:56:23.537153 00:0f:e2:6a:09:78 > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0xe0, ttl 255, id 12001, offset 0, flags [none], proto UDP (17), length 328)
10.108.160.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb5d8ea1c, Flags [Broadcast]
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: NACK
Server-ID Option 54, length 4: 10.3.9.31
MSG Option 56, length 31: "requested address not available"
08:56:23.550490 c8:3a:35:11:70:00 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 590: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
192.168.0.1.bootps > 192.168.0.111.bootpc: BOOTP/DHCP, Reply, length 548, xid 0xb5d8ea1c, Flags [none]
Your-IP 192.168.0.111
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 192.168.0.1
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 192.168.0.1
Domain-Name-Server Option 6, length 8: 192.168.0.1,192.168.0.1
MTU Option 26, length 2: 1500
08:56:23.961106 3c:97:0e:f0:b5:bb > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0x2bdda24d, Flags [none]
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Classless-Static-Route
Domain-Name, Domain-Name-Server, Hostname, YD
YS, NTP, MTU, Option 119
Default-Gateway
08:56:23.970519 c8:3a:35:11:70:00 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 590: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
192.168.0.1.bootps > 192.168.0.111.bootpc: BOOTP/DHCP, Reply, length 548, xid 0x2bdda24d, Flags [none]
Your-IP 192.168.0.111
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Server-ID Option 54, length 4: 192.168.0.1
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 192.168.0.1
Domain-Name-Server Option 6, length 8: 192.168.0.1,192.168.0.1
MTU Option 26, length 2: 1500
08:56:23.970708 3c:97:0e:f0:b5:bb > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0x2bdda24d, Flags [none]
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Request
Server-ID Option 54, length 4: 192.168.0.1
Requested-IP Option 50, length 4: 192.168.0.111
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Classless-Static-Route
Domain-Name, Domain-Name-Server, Hostname, YD
YS, NTP, MTU, Option 119
Default-Gateway
08:56:23.979893 00:0f:e2:6a:09:78 > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0xe0, ttl 255, id 12006, offset 0, flags [none], proto UDP (17), length 328)
10.108.160.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 300, hops 1, xid 0x2bdda24d, Flags [Broadcast]
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: NACK
Server-ID Option 54, length 4: 10.3.9.31
MSG Option 56, length 31: "requested address not available"
08:56:23.980828 00:0f:e2:6a:09:78 > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0xe0, ttl 255, id 12007, offset 0, flags [none], proto UDP (17), length 328)
10.108.160.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 300, hops 1, xid 0x2bdda24d, Flags [Broadcast]
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: NACK
Server-ID Option 54, length 4: 10.3.9.2
MSG Option 56, length 31: "requested address not available"
08:56:23.994474 c8:3a:35:11:70:00 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 590: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
192.168.0.1.bootps > 192.168.0.111.bootpc: BOOTP/DHCP, Reply, length 548, xid 0x2bdda24d, Flags [none]
Your-IP 192.168.0.111
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 192.168.0.1
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 192.168.0.1
Domain-Name-Server Option 6, length 8: 192.168.0.1,192.168.0.1
MTU Option 26, length 2: 1500
08:56:24.525846 00:0f:e2:6a:09:78 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 349: (tos 0xe0, ttl 255, id 12032, offset 0, flags [none], proto UDP (17), length 335)
10.108.160.1.bootps > 10.108.162.164.bootpc: BOOTP/DHCP, Reply, length 307, hops 1, xid 0xb5d8ea1c, Flags [none]
Your-IP 10.108.162.164
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Server-ID Option 54, length 4: 10.3.9.2
Lease-Time Option 51, length 4: 6878
Subnet-Mask Option 1, length 4: 255.255.252.0
BR Option 28, length 4: 10.108.163.255
Domain-Name Option 15, length 11: "bupt.edu.cn"
Domain-Name-Server Option 6, length 12: 10.3.9.4,10.3.9.5,10.3.9.6
NTP Option 42, length 4: 10.3.9.9
Default-Gateway Option 3, length 4: 10.108.160.1
+++++++++++++++++++++++++++++++
[root@localhost core]# tcpdump -i enp13s0 -nev udp port 68 >> /tmp/rogue 2>&1 &
[root@localhost core]# cat /tmp/rogue
[root@localhost core]# tcpdump -i enp13s0 -nev udp port 68
tcpdump: WARNING: enp13s0: no IPv4 address assigned
tcpdump: listening on enp13s0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:57:50.318066 74:27:ea:ac:07:52 > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 64, id 9019, offset 0, flags [none], proto UDP (17), length 328)
10.108.163.64.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 74:27:ea:ac:07:52, length 300, xid 0x460dbace, Flags [none]
Client-IP 10.108.163.64
Client-Ethernet-Address 74:27:ea:ac:07:52
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Inform
Client-ID Option 61, length 7: ether 74:27:ea:ac:07:52
Hostname Option 12, length 12: "xiaoyifei-PC"
Vendor-Class Option 60, length 8: "MSFT 5.0"
Parameter-Request Option 55, length 13:
Subnet-Mask, Domain-Name, Default-Gateway, Domain-Name-Server
Netbios-Name-Server, Netbios-Node, Netbios-Scope, Router-Discovery
Static-Route, Classless-Static-Route, Classless-Static-Route-Microsoft, Vendor-Option
Option 252
08:57:50.733654 3c:97:0e:f0:b5:bb > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0xbdc7c05e, Flags [none]
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Requested-IP Option 50, length 4: 192.168.0.111
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Classless-Static-Route
Domain-Name, Domain-Name-Server, Hostname, YD
YS, NTP, MTU, Option 119
Default-Gateway
08:57:50.742946 c8:3a:35:11:70:00 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 590: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
192.168.0.1.bootps > 192.168.0.111.bootpc: BOOTP/DHCP, Reply, length 548, xid 0xbdc7c05e, Flags [none]
Your-IP 192.168.0.111
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Server-ID Option 54, length 4: 192.168.0.1
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 192.168.0.1
Domain-Name-Server Option 6, length 8: 192.168.0.1,192.168.0.1
MTU Option 26, length 2: 1500
08:57:50.743076 3c:97:0e:f0:b5:bb > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0xbdc7c05e, Flags [none]
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Request
Server-ID Option 54, length 4: 192.168.0.1
Requested-IP Option 50, length 4: 192.168.0.111
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Classless-Static-Route
Domain-Name, Domain-Name-Server, Hostname, YD
YS, NTP, MTU, Option 119
Default-Gateway
08:57:50.766898 c8:3a:35:11:70:00 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 590: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
192.168.0.1.bootps > 192.168.0.111.bootpc: BOOTP/DHCP, Reply, length 548, xid 0xbdc7c05e, Flags [none]
Your-IP 192.168.0.111
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 192.168.0.1
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 192.168.0.1
Domain-Name-Server Option 6, length 8: 192.168.0.1,192.168.0.1
MTU Option 26, length 2: 1500
08:57:50.773417 00:0f:e2:6a:09:78 > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0xe0, ttl 255, id 14201, offset 0, flags [none], proto UDP (17), length 328)
10.108.160.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xbdc7c05e, Flags [Broadcast]
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: NACK
Server-ID Option 54, length 4: 10.3.9.31
MSG Option 56, length 31: "requested address not available"
08:57:50.774332 00:0f:e2:6a:09:78 > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0xe0, ttl 255, id 14202, offset 0, flags [none], proto UDP (17), length 328)
10.108.160.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xbdc7c05e, Flags [Broadcast]
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: NACK
Server-ID Option 54, length 4: 10.3.9.2
MSG Option 56, length 31: "requested address not available"
08:57:51.745699 00:0f:e2:6a:09:78 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 349: (tos 0xe0, ttl 255, id 14219, offset 0, flags [none], proto UDP (17), length 335)
10.108.160.1.bootps > 10.108.162.164.bootpc: BOOTP/DHCP, Reply, length 307, hops 1, xid 0xbdc7c05e, Flags [none]
Your-IP 10.108.162.164
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Server-ID Option 54, length 4: 10.3.9.2
Lease-Time Option 51, length 4: 6791
Subnet-Mask Option 1, length 4: 255.255.252.0
BR Option 28, length 4: 10.108.163.255
Domain-Name Option 15, length 11: "bupt.edu.cn"
Domain-Name-Server Option 6, length 12: 10.3.9.4,10.3.9.5,10.3.9.6
NTP Option 42, length 4: 10.3.9.9
Default-Gateway Option 3, length 4: 10.108.160.1
08:57:58.891406 3c:97:0e:a6:bf:95 > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 64, id 22516, offset 0, flags [none], proto UDP (17), length 328)
10.108.162.31.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 3c:97:0e:a6:bf:95, length 300, xid 0x34f84154, Flags [none]
Client-IP 10.108.162.31
Client-Ethernet-Address 3c:97:0e:a6:bf:95
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Inform
Client-ID Option 61, length 7: ether 3c:97:0e:a6:bf:95
Hostname Option 12, length 3: "ytx"
Vendor-Class Option 60, length 8: "MSFT 5.0"
Parameter-Request Option 55, length 13:
Subnet-Mask, Domain-Name, Default-Gateway, Domain-Name-Server
Netbios-Name-Server, Netbios-Node, Netbios-Scope, Router-Discovery
Static-Route, Classless-Static-Route, Classless-Static-Route-Microsoft, Vendor-Option
Option 252
++++++++++++++++++++正常
[root@localhost core]# cat /tmp/rogue
tcpdump: listening on enp13s0, link-type EN10MB (Ethernet), capture size 65535 bytes
09:03:31.867877 3c:97:0e:f0:b5:bb > 00:0f:e2:6a:09:78, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 64, id 32929, offset 0, flags [DF], proto UDP (17), length 328)
10.108.162.164.bootpc > 192.168.0.1.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0x4d825b75, Flags [none]
Client-IP 192.168.0.111
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Release
Server-ID Option 54, length 4: 192.168.0.1
09:03:35.721679 3c:97:0e:f0:b5:bb > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0xf7a09f4e, Flags [none]
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Requested-IP Option 50, length 4: 192.168.0.111
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Classless-Static-Route
Domain-Name, Domain-Name-Server, Hostname, YD
YS, NTP, MTU, Option 119
Default-Gateway
09:03:36.730560 00:0f:e2:6a:09:78 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 349: (tos 0xe0, ttl 255, id 23033, offset 0, flags [none], proto UDP (17), length 335)
10.108.160.1.bootps > 10.108.162.164.bootpc: BOOTP/DHCP, Reply, length 307, hops 1, xid 0xf7a09f4e, Flags [none]
Your-IP 10.108.162.164
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Server-ID Option 54, length 4: 10.3.9.2
Lease-Time Option 51, length 4: 6446
Subnet-Mask Option 1, length 4: 255.255.252.0
BR Option 28, length 4: 10.108.163.255
Domain-Name Option 15, length 11: "bupt.edu.cn"
Domain-Name-Server Option 6, length 12: 10.3.9.4,10.3.9.5,10.3.9.6
NTP Option 42, length 4: 10.3.9.9
Default-Gateway Option 3, length 4: 10.108.160.1
09:03:36.730688 3c:97:0e:f0:b5:bb > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0xf7a09f4e, Flags [none]
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Request
Server-ID Option 54, length 4: 10.3.9.2
Requested-IP Option 50, length 4: 10.108.162.164
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Classless-Static-Route
Domain-Name, Domain-Name-Server, Hostname, YD
YS, NTP, MTU, Option 119
Default-Gateway
09:03:36.741608 00:0f:e2:6a:09:78 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 349: (tos 0xe0, ttl 255, id 23037, offset 0, flags [none], proto UDP (17), length 335)
10.108.160.1.bootps > 10.108.162.164.bootpc: BOOTP/DHCP, Reply, length 307, hops 1, xid 0xf7a09f4e, Flags [none]
Your-IP 10.108.162.164
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 10.3.9.2
Lease-Time Option 51, length 4: 6445
Subnet-Mask Option 1, length 4: 255.255.252.0
BR Option 28, length 4: 10.108.163.255
Domain-Name Option 15, length 11: "bupt.edu.cn"
Domain-Name-Server Option 6, length 12: 10.3.9.4,10.3.9.5,10.3.9.6
NTP Option 42, length 4: 10.3.9.9
Default-Gateway Option 3, length 4: 10.108.160.1
09:03:36.742581 00:0f:e2:6a:09:78 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 349: (tos 0xe0, ttl 255, id 23038, offset 0, flags [none], proto UDP (17), length 335)
10.108.160.1.bootps > 10.108.162.164.bootpc: BOOTP/DHCP, Reply, length 307, hops 1, xid 0xf7a09f4e, Flags [none]
Your-IP 10.108.162.164
Gatew[root@localhost core]#
tcpdump -i enp13s0 -nev >> /tmp/rogue
++++++++++++++
Rogue DHCP Server MAC: c8:3a:35:11:70:00
All mac addresses starting with C8-3A-35 belong to the owner Tenda Technology Co.,
++++++++++++++
tcpdump -i enp13s0 -nev udp port 68 >> /tmp/rogue 2>&1 &
arping -i eth1 00:E0:29:XX:YY:ZZ
nmap -sP 192.168.0.0/24 >/dev/null && arp -an | grep c8:3a:35:11:70:00 | awk '{print $2}' | sed 's/[()]//g'
++++++++++++++ Tenda MAC address list
Vendor: TendaTec Mac address: C8:3A:35
++++++++++++++ TP-Link MAC address list
Vendor: Tp-LinkT Mac address: 00:19:E0
Vendor: Tp-LinkT Mac address: 00:1D:0F
Vendor: Tp-LinkT Mac address: 00:21:27
Vendor: Tp-LinkT Mac address: 00:23:CD
Vendor: Tp-LinkT Mac address: 00:25:86
Vendor: Tp-LinkT Mac address: 00:27:19
Vendor: Tp-LinkT Mac address: 40:16:9F
Vendor: Tp-LinkT Mac address: 54:E6:FC
Vendor: Tp-LinkT Mac address: 74:EA:3A
Vendor: Tp-LinkT Mac address: 94:0C:6D
Vendor: Tp-LinkT Mac address: B0:48:7A
Vendor: Tp-LinkT Mac address: D8:5D:4C
Vendor: Tp-LinkT Mac address: E0:05:C5
Vendor: Tp-LinkT Mac address: F4:EC:38
++++++++++++++++++++++++++++
+++++++++++++++++++异常
[root@localhost core]# tcpdump -i enp13s0 -nev udp port 68
tcpdump: listening on enp13s0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:56:13.405651 3c:97:0e:f0:b5:bb > c8:3a:35:11:70:00, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 64, id 56976, offset 0, flags [DF], proto UDP (17), length 328)
192.168.0.111.bootpc > 192.168.0.1.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0x292e3d42, Flags [none]
Client-IP 192.168.0.111
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Release
Server-ID Option 54, length 4: 192.168.0.1
08:56:23.516772 3c:97:0e:f0:b5:bb > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0xb5d8ea1c, Flags [none]
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Requested-IP Option 50, length 4: 192.168.0.111
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Classless-Static-Route
Domain-Name, Domain-Name-Server, Hostname, YD
YS, NTP, MTU, Option 119
Default-Gateway
08:56:23.526530 c8:3a:35:11:70:00 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 590: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
192.168.0.1.bootps > 192.168.0.111.bootpc: BOOTP/DHCP, Reply, length 548, xid 0xb5d8ea1c, Flags [none]
Your-IP 192.168.0.111
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Server-ID Option 54, length 4: 192.168.0.1
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 192.168.0.1
Domain-Name-Server Option 6, length 8: 192.168.0.1,192.168.0.1
MTU Option 26, length 2: 1500
08:56:23.526667 3c:97:0e:f0:b5:bb > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0xb5d8ea1c, Flags [none]
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Request
Server-ID Option 54, length 4: 192.168.0.1
Requested-IP Option 50, length 4: 192.168.0.111
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Classless-Static-Route
Domain-Name, Domain-Name-Server, Hostname, YD
YS, NTP, MTU, Option 119
Default-Gateway
08:56:23.536296 00:0f:e2:6a:09:78 > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0xe0, ttl 255, id 12000, offset 0, flags [none], proto UDP (17), length 328)
10.108.160.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb5d8ea1c, Flags [Broadcast]
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: NACK
Server-ID Option 54, length 4: 10.3.9.2
MSG Option 56, length 31: "requested address not available"
08:56:23.537153 00:0f:e2:6a:09:78 > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0xe0, ttl 255, id 12001, offset 0, flags [none], proto UDP (17), length 328)
10.108.160.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xb5d8ea1c, Flags [Broadcast]
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: NACK
Server-ID Option 54, length 4: 10.3.9.31
MSG Option 56, length 31: "requested address not available"
08:56:23.550490 c8:3a:35:11:70:00 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 590: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
192.168.0.1.bootps > 192.168.0.111.bootpc: BOOTP/DHCP, Reply, length 548, xid 0xb5d8ea1c, Flags [none]
Your-IP 192.168.0.111
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 192.168.0.1
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 192.168.0.1
Domain-Name-Server Option 6, length 8: 192.168.0.1,192.168.0.1
MTU Option 26, length 2: 1500
08:56:23.961106 3c:97:0e:f0:b5:bb > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0x2bdda24d, Flags [none]
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Classless-Static-Route
Domain-Name, Domain-Name-Server, Hostname, YD
YS, NTP, MTU, Option 119
Default-Gateway
08:56:23.970519 c8:3a:35:11:70:00 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 590: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
192.168.0.1.bootps > 192.168.0.111.bootpc: BOOTP/DHCP, Reply, length 548, xid 0x2bdda24d, Flags [none]
Your-IP 192.168.0.111
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Server-ID Option 54, length 4: 192.168.0.1
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 192.168.0.1
Domain-Name-Server Option 6, length 8: 192.168.0.1,192.168.0.1
MTU Option 26, length 2: 1500
08:56:23.970708 3c:97:0e:f0:b5:bb > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0x2bdda24d, Flags [none]
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Request
Server-ID Option 54, length 4: 192.168.0.1
Requested-IP Option 50, length 4: 192.168.0.111
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Classless-Static-Route
Domain-Name, Domain-Name-Server, Hostname, YD
YS, NTP, MTU, Option 119
Default-Gateway
08:56:23.979893 00:0f:e2:6a:09:78 > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0xe0, ttl 255, id 12006, offset 0, flags [none], proto UDP (17), length 328)
10.108.160.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 300, hops 1, xid 0x2bdda24d, Flags [Broadcast]
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: NACK
Server-ID Option 54, length 4: 10.3.9.31
MSG Option 56, length 31: "requested address not available"
08:56:23.980828 00:0f:e2:6a:09:78 > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0xe0, ttl 255, id 12007, offset 0, flags [none], proto UDP (17), length 328)
10.108.160.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 300, hops 1, xid 0x2bdda24d, Flags [Broadcast]
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: NACK
Server-ID Option 54, length 4: 10.3.9.2
MSG Option 56, length 31: "requested address not available"
08:56:23.994474 c8:3a:35:11:70:00 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 590: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
192.168.0.1.bootps > 192.168.0.111.bootpc: BOOTP/DHCP, Reply, length 548, xid 0x2bdda24d, Flags [none]
Your-IP 192.168.0.111
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 192.168.0.1
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 192.168.0.1
Domain-Name-Server Option 6, length 8: 192.168.0.1,192.168.0.1
MTU Option 26, length 2: 1500
08:56:24.525846 00:0f:e2:6a:09:78 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 349: (tos 0xe0, ttl 255, id 12032, offset 0, flags [none], proto UDP (17), length 335)
10.108.160.1.bootps > 10.108.162.164.bootpc: BOOTP/DHCP, Reply, length 307, hops 1, xid 0xb5d8ea1c, Flags [none]
Your-IP 10.108.162.164
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Server-ID Option 54, length 4: 10.3.9.2
Lease-Time Option 51, length 4: 6878
Subnet-Mask Option 1, length 4: 255.255.252.0
BR Option 28, length 4: 10.108.163.255
Domain-Name Option 15, length 11: "bupt.edu.cn"
Domain-Name-Server Option 6, length 12: 10.3.9.4,10.3.9.5,10.3.9.6
NTP Option 42, length 4: 10.3.9.9
Default-Gateway Option 3, length 4: 10.108.160.1
+++++++++++++++++++++++++++++++
[root@localhost core]# tcpdump -i enp13s0 -nev udp port 68 >> /tmp/rogue 2>&1 &
[root@localhost core]# cat /tmp/rogue
[root@localhost core]# tcpdump -i enp13s0 -nev udp port 68
tcpdump: WARNING: enp13s0: no IPv4 address assigned
tcpdump: listening on enp13s0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:57:50.318066 74:27:ea:ac:07:52 > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 64, id 9019, offset 0, flags [none], proto UDP (17), length 328)
10.108.163.64.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 74:27:ea:ac:07:52, length 300, xid 0x460dbace, Flags [none]
Client-IP 10.108.163.64
Client-Ethernet-Address 74:27:ea:ac:07:52
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Inform
Client-ID Option 61, length 7: ether 74:27:ea:ac:07:52
Hostname Option 12, length 12: "xiaoyifei-PC"
Vendor-Class Option 60, length 8: "MSFT 5.0"
Parameter-Request Option 55, length 13:
Subnet-Mask, Domain-Name, Default-Gateway, Domain-Name-Server
Netbios-Name-Server, Netbios-Node, Netbios-Scope, Router-Discovery
Static-Route, Classless-Static-Route, Classless-Static-Route-Microsoft, Vendor-Option
Option 252
08:57:50.733654 3c:97:0e:f0:b5:bb > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0xbdc7c05e, Flags [none]
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Requested-IP Option 50, length 4: 192.168.0.111
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Classless-Static-Route
Domain-Name, Domain-Name-Server, Hostname, YD
YS, NTP, MTU, Option 119
Default-Gateway
08:57:50.742946 c8:3a:35:11:70:00 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 590: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
192.168.0.1.bootps > 192.168.0.111.bootpc: BOOTP/DHCP, Reply, length 548, xid 0xbdc7c05e, Flags [none]
Your-IP 192.168.0.111
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Server-ID Option 54, length 4: 192.168.0.1
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 192.168.0.1
Domain-Name-Server Option 6, length 8: 192.168.0.1,192.168.0.1
MTU Option 26, length 2: 1500
08:57:50.743076 3c:97:0e:f0:b5:bb > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0xbdc7c05e, Flags [none]
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Request
Server-ID Option 54, length 4: 192.168.0.1
Requested-IP Option 50, length 4: 192.168.0.111
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Classless-Static-Route
Domain-Name, Domain-Name-Server, Hostname, YD
YS, NTP, MTU, Option 119
Default-Gateway
08:57:50.766898 c8:3a:35:11:70:00 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 590: (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 576)
192.168.0.1.bootps > 192.168.0.111.bootpc: BOOTP/DHCP, Reply, length 548, xid 0xbdc7c05e, Flags [none]
Your-IP 192.168.0.111
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 192.168.0.1
Lease-Time Option 51, length 4: 86400
Subnet-Mask Option 1, length 4: 255.255.255.0
Default-Gateway Option 3, length 4: 192.168.0.1
Domain-Name-Server Option 6, length 8: 192.168.0.1,192.168.0.1
MTU Option 26, length 2: 1500
08:57:50.773417 00:0f:e2:6a:09:78 > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0xe0, ttl 255, id 14201, offset 0, flags [none], proto UDP (17), length 328)
10.108.160.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xbdc7c05e, Flags [Broadcast]
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: NACK
Server-ID Option 54, length 4: 10.3.9.31
MSG Option 56, length 31: "requested address not available"
08:57:50.774332 00:0f:e2:6a:09:78 > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0xe0, ttl 255, id 14202, offset 0, flags [none], proto UDP (17), length 328)
10.108.160.1.bootps > 255.255.255.255.bootpc: BOOTP/DHCP, Reply, length 300, hops 1, xid 0xbdc7c05e, Flags [Broadcast]
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: NACK
Server-ID Option 54, length 4: 10.3.9.2
MSG Option 56, length 31: "requested address not available"
08:57:51.745699 00:0f:e2:6a:09:78 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 349: (tos 0xe0, ttl 255, id 14219, offset 0, flags [none], proto UDP (17), length 335)
10.108.160.1.bootps > 10.108.162.164.bootpc: BOOTP/DHCP, Reply, length 307, hops 1, xid 0xbdc7c05e, Flags [none]
Your-IP 10.108.162.164
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Server-ID Option 54, length 4: 10.3.9.2
Lease-Time Option 51, length 4: 6791
Subnet-Mask Option 1, length 4: 255.255.252.0
BR Option 28, length 4: 10.108.163.255
Domain-Name Option 15, length 11: "bupt.edu.cn"
Domain-Name-Server Option 6, length 12: 10.3.9.4,10.3.9.5,10.3.9.6
NTP Option 42, length 4: 10.3.9.9
Default-Gateway Option 3, length 4: 10.108.160.1
08:57:58.891406 3c:97:0e:a6:bf:95 > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 64, id 22516, offset 0, flags [none], proto UDP (17), length 328)
10.108.162.31.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 3c:97:0e:a6:bf:95, length 300, xid 0x34f84154, Flags [none]
Client-IP 10.108.162.31
Client-Ethernet-Address 3c:97:0e:a6:bf:95
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Inform
Client-ID Option 61, length 7: ether 3c:97:0e:a6:bf:95
Hostname Option 12, length 3: "ytx"
Vendor-Class Option 60, length 8: "MSFT 5.0"
Parameter-Request Option 55, length 13:
Subnet-Mask, Domain-Name, Default-Gateway, Domain-Name-Server
Netbios-Name-Server, Netbios-Node, Netbios-Scope, Router-Discovery
Static-Route, Classless-Static-Route, Classless-Static-Route-Microsoft, Vendor-Option
Option 252
++++++++++++++++++++正常
[root@localhost core]# cat /tmp/rogue
tcpdump: listening on enp13s0, link-type EN10MB (Ethernet), capture size 65535 bytes
09:03:31.867877 3c:97:0e:f0:b5:bb > 00:0f:e2:6a:09:78, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 64, id 32929, offset 0, flags [DF], proto UDP (17), length 328)
10.108.162.164.bootpc > 192.168.0.1.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0x4d825b75, Flags [none]
Client-IP 192.168.0.111
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Release
Server-ID Option 54, length 4: 192.168.0.1
09:03:35.721679 3c:97:0e:f0:b5:bb > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0xf7a09f4e, Flags [none]
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Requested-IP Option 50, length 4: 192.168.0.111
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Classless-Static-Route
Domain-Name, Domain-Name-Server, Hostname, YD
YS, NTP, MTU, Option 119
Default-Gateway
09:03:36.730560 00:0f:e2:6a:09:78 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 349: (tos 0xe0, ttl 255, id 23033, offset 0, flags [none], proto UDP (17), length 335)
10.108.160.1.bootps > 10.108.162.164.bootpc: BOOTP/DHCP, Reply, length 307, hops 1, xid 0xf7a09f4e, Flags [none]
Your-IP 10.108.162.164
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Offer
Server-ID Option 54, length 4: 10.3.9.2
Lease-Time Option 51, length 4: 6446
Subnet-Mask Option 1, length 4: 255.255.252.0
BR Option 28, length 4: 10.108.163.255
Domain-Name Option 15, length 11: "bupt.edu.cn"
Domain-Name-Server Option 6, length 12: 10.3.9.4,10.3.9.5,10.3.9.6
NTP Option 42, length 4: 10.3.9.9
Default-Gateway Option 3, length 4: 10.108.160.1
09:03:36.730688 3c:97:0e:f0:b5:bb > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 3c:97:0e:f0:b5:bb, length 300, xid 0xf7a09f4e, Flags [none]
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Request
Server-ID Option 54, length 4: 10.3.9.2
Requested-IP Option 50, length 4: 10.108.162.164
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Classless-Static-Route
Domain-Name, Domain-Name-Server, Hostname, YD
YS, NTP, MTU, Option 119
Default-Gateway
09:03:36.741608 00:0f:e2:6a:09:78 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 349: (tos 0xe0, ttl 255, id 23037, offset 0, flags [none], proto UDP (17), length 335)
10.108.160.1.bootps > 10.108.162.164.bootpc: BOOTP/DHCP, Reply, length 307, hops 1, xid 0xf7a09f4e, Flags [none]
Your-IP 10.108.162.164
Gateway-IP 10.108.160.1
Client-Ethernet-Address 3c:97:0e:f0:b5:bb
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 10.3.9.2
Lease-Time Option 51, length 4: 6445
Subnet-Mask Option 1, length 4: 255.255.252.0
BR Option 28, length 4: 10.108.163.255
Domain-Name Option 15, length 11: "bupt.edu.cn"
Domain-Name-Server Option 6, length 12: 10.3.9.4,10.3.9.5,10.3.9.6
NTP Option 42, length 4: 10.3.9.9
Default-Gateway Option 3, length 4: 10.108.160.1
09:03:36.742581 00:0f:e2:6a:09:78 > 3c:97:0e:f0:b5:bb, ethertype IPv4 (0x0800), length 349: (tos 0xe0, ttl 255, id 23038, offset 0, flags [none], proto UDP (17), length 335)
10.108.160.1.bootps > 10.108.162.164.bootpc: BOOTP/DHCP, Reply, length 307, hops 1, xid 0xf7a09f4e, Flags [none]
Your-IP 10.108.162.164
Gatew[root@localhost core]#