Wireshark-users: [Wireshark-users] bad handling of DHCP option 90?
From: "Stefan Puiu" <[email protected]>
Date: Thu, 19 Apr 2007 19:07:16 +0300
Hi all,

I captured some DHCP traffic using DHCP AUTH (option 90  - see
RFC3118) using tcpdump on a Linux device and was then trying to view
it from wireshark (0.99.4) on Windows. The problem is I'm getting some
warnings on the option length, and I think they are wrong.

Here's an excerpt from the exported text file:

   Option: (t=53,l=1) DHCP Message Type = DHCP Discover
       Option: (53) DHCP Message Type
       Length: 1
       Value: 01
...
   Option: (t=90,l=13) Authentication length isn't >= 31
       Option: (90) Authentication
       Length: 13
       Value: 010100C9D208C46B8B070F0000
       Protocol: delayed authentication (1)
       Algorithm: HMAC_MD5 (1)
       Replay Detection Method: Monotonically-increasing counter (0)
       RDM Replay Detection Value: c9d208c46b8b070f


Now, there's a message (warning?) on the first line in the option 90
dump saying the option length isn't >= 31. This is a DHCPDISCOVER
message. However, if you check the format of the option in
DHCPDISCOVER messages, and count the bytes (section 5.2 in RFC3118),
the actual length should be 11, not 31.

Then, I was using a router configured to send back a dummy option 90.
Here's what I get for the reply:

   Option: (t=53,l=1) DHCP Message Type = DHCP Offer
       Option: (53) DHCP Message Type
       Length: 1
       Value: 02
...
   Option: (t=90,l=4) Authentication length isn't >= 11
       Option: (90) Authentication
       Length: 4
       Value: ...

Now that's interesting. I think whoever made the validation swapped
the limits between DHCPDISCOVER and DHCPOFFER & co. Here the length
(at least for HMAC-MD5 authentication) should be 31.

I can provide a capture file, if necessary. Of course, I was assuming
the messages (and validation) come from wireshark, if tcpdump is to
blame...

# tcpdump --version
tcpdump version 3.9.4
libpcap version 0.9.4

Thanks in advance,
Stefan