DHCPINFORM and DHCPACK spam

[d4v1d05]

Hi guys, not sure if this is really a problem or not but I guess it's been annoying me...

My PC is running on a wireless connection to a WRT54GL running Tomato 1.25.8515-RAF (Victek Mod) with DNSMASQ running DHCP... Anyway, I checked the logs recently and found that every 70 seconds my computer is referenced in a DHCPINFORM and DHCPACK log. There are 3 other wireless clients connected to the router, and none of those do it with such a frequency, they tend to go for around an hour or so before another...

So yeah, basically wondering if there's a way to make it stop doing it so often, since I feel like I'm getting a degraded performance because of it (May be a placebo effect)

Cheers in advance, hope someone can help!

[+BudMan MVC]

Hmmm -- DHCPINFORM is used to obtain info from your dhcp server. Do you have manual settings for dns or wins?

Edited February 10, 2010 by BudMan

[d4v1d05]

[snip]

Normally clients try to renew their lease at the 50% mark.. so for example with this 1 hour lease at 4:04:30 may machine would ask for a renew. If your other clients are showing up every hour or so I would assume your handing out a 2 hour lease? Take a look at your ipconfig /all -- post it if you don't mind

Lease Obtained. . . . . . . . . . : 10 February 2010 16:51:09

Lease Expires . . . . . . . . . . : 20 March 2146 04:38:34

I guess the "infinite" expiry on the router is quite along way away... As I've said there are at least 3 other machines each with the same configuration router-side, and the EXACT same Win7 version (Windows 7 x86_64 Professional)... I can pastie the /var/log/messages if you need to see it, BudMan? Perhaps it could be a fault with my wireless card?

[+BudMan MVC]

Well I looked into the DHCPINFORM message

--

3.4 Obtaining parameters with externally configured network address

If a client has obtained a network address through some other means

(e.g., manual configuration), it may use a DHCPINFORM request message

to obtain other local configuration parameters. Servers receiving a

DHCPINFORM message construct a DHCPACK message with any local

configuration parameters appropriate for the client without:

allocating a new address, checking for an existing binding, filling

in 'yiaddr' or including lease time parameters. The servers SHOULD

unicast the DHCPACK reply to the address given in the 'ciaddr' field

of the DHCPINFORM message.

--

But looks like your fully set for dhcp if your getting a lease, and not set for static address - but dhcp for your dns, etc.

What you might want to do is do a sniff of your clients traffic - wireshark or windump could be used to actually see what your client is putting in the dhcpinform message.. This could help us figure out why your client is sending it.

[+BudMan MVC]

dhcpinform can also be used to try and find a proxy - so your browser could be looking for a proxy, WPAD. From a google I find some info about flash looking for a proxy using dhcpinform as well.. And your client can retransmit these dhcpinforms if its not getting the ack back for some reason. Are you running some firewall that could be blocking the dhcpack back from your router?

I would really suggest you grab wireshark or even windump and run it on your client to capture these dhcp packets so we can see what is going on -- ie what info is asking for in the dhcpinform packet

edit: if you grab windump use this command to limit traffic to dhcp traffic

windump -i 4 -XX -n -vvv udp port 67

where the -i 4 is the interface you want to listen on. I have multiple interfaces on this machine so thats why mine is 4, your might be 1 or 2, etc. use -D to list your interfaces.

example

C:\>windump -D

1.\Device\NPF_GenericDialupAdapter (Adapter for generic dialup and VPN capture)

2.\Device\NPF_{05E6A386-4B0A-4C3E-A3A7-B0508770EB8D} (Juniper Network Connect Virtual Adapter)

3.\Device\NPF_{8E8EA836-838D-44DE-AF28-4B5184245553} (Intel® PRO/Wireless 3945ABG Network Connection)

4.\Device\NPF_{46B7FF42-B5F2-44F2-9EAE-1F0BAF7B4932} (Broadcom NetXtreme Gigabit Ethernet Driver)

5.\Device\NPF_{791A8563-34BD-4681-A0F6-281494D295C8} (TAP-Win32 Adapter V9)

Have yet to see this box send any dhcpinform packets.. But its XP, and the dhcp server here sends all the different options wins, dns, domain name, etc. From my understanding if this info is not given out in by your dhcp server your windows client might ask for it with a dhcpinform packet. But that would not explain why your other machines are only doing it once an hour - and yours is doing it every 70 seconds, etc. I can play more when I get home on my win 7 x64 box and have full control over the dhcp server, etc.

Edited February 10, 2010 by BudMan

[d4v1d05]

dhcpinform can also be used to try and find a proxy - so your browser could be looking for a proxy, WPAD. From a google I find some info about flash looking for a proxy using dhcpinform as well.. And your client can retransmit these dhcpinforms if its not getting the ack back for some reason. Are you running some firewall that could be blocking the dhcpack back from your router?

Hmm, I've turned off proxy auto configuration and that seems to have stopped it from doing it, weird behaviour though tbh... If it doesn't find it and it's on the same network, why spam looking for it? And no, I was using the default Windows 7 firewall...

Thanks very much BudMan!