no idea what my cable-ISP is sending here regulary but this smells security related in case you enter a network with a bad dhcp server Oct 26 10:02:59 srv-rhsoft dhclient[17984]: parse_option_buffer: malformed option dhcp.<unknown> (code 84): option length exceeds option buffer length AFAIK this happens each time due renewal
Yes, the error smells like security related, but seems to be OK. It just says that the option field is longer then we were told it is so we won't parse it. It's most likely a problem in the option with code 84 (some unused [1] option code), but could of course be a problem on dhclient's side as well so if you could catch some of these renewal packets and attach them here, I'd investigate them to be sure we don't do anything wrong. [1] http://tools.ietf.org/html/rfc3679
hard to investigate because it's the WAN-interface (http://www.chello.at) and it happens on any machine directly connected to the cable modem more examples: parse_option_buffer: malformed option dhcp.smtp-server (code 69): option length exceeds option buffer length. parse_option_buffer: malformed option dhcp.<unknown> (code 107): option length exceeds option buffer length parse_option_buffer: malformed option dhcp.<unknown> (code 116): option length exceeds option buffer length.
I have caught such a packet using wireshark. The log message was -- Dec 15 06:40:14 bb dhclient: parse_option_buffer: malformed option dhcp.smtp-server (code 69): option length exceeds option buffer length. I believe this corresponds to packet #26/50 in the packet capture file placed at http://evilpettingzoo.com/data/dhcp_packets.eth1 (don't see a way to attach files to this comment, sorry) This packet appears to pertain to somebody else on my cable network segment. Regards, Dave
Created attachment 836923 [details] I believe this corresponds to packet #26/50 in the packet capture > don't see a way to attach files to this comment choose "Add Attachment" on top and write the comment to it :-) i downloaded the file and created the attachment externel ressources may disappear over the time
(In reply to Harald Reindl from comment #4) > i downloaded the file and created the attachment Thanks (In reply to Dave Rutherford from comment #3) > I have caught such a packet using wireshark. Thanks. > I believe this corresponds to packet #26/50 in the packet capture Yes, looks like it. Even wireshark marks that packet as "Malformed". Since we don't process that option at all (per my comment #1) I think there's nothing more we can do here.