dhcp probe¶

Sitio web: http://www.net.princeton.edu/software/dhcp_probe/

Parches a considerar:

1. dhcp_probe-1.3.0-virta-1.txt
2. dhcp_probe-1.3.0-guignard-03_implicit_point_conv_bootp.c.txt
3. dhcp_probe-1.3.0-guignard-04_linux_32_or_64bits.txt

Páginas man¶

• dhcp_probe(8)
• dhcp_probe_cf(5)

Instalación manual 1 sin parches¶

Revisa los archivos INSTALL e INSTALL.dhcp_probe.

Dependencias para compilación¶

$ sudo yum install libpcap-devel libnet-devel

Descarga, configuración y compilación¶

$ wget http://www.net.princeton.edu/software/dhcp_probe/dhcp_probe-1.3.0.tar.gz
$ gunzip dhcp_probe-1.3.0.tar.gz
$ tar -xvf dhcp_probe-1.3.0.tar
$ cd dhcp_probe-1.3.0
[gomix@fricky dhcp_probe-1.3.0]$ ./configure
...
$ make
...

En src está el binario dhcp_probe.

[gomix@fricky dhcp_probe-1.3.0]$ ls src
bootp.c  configfile.c  daemonize.c  defaults.h  dhcp_probe.c  get_myeaddr.c  get_myipaddr.c  Makefile     open_max.c  report.c  utils.c
bootp.h  configfile.h  daemonize.h  defs.h      dhcp_probe.h  get_myeaddr.h  get_myipaddr.h  Makefile.am  open_max.h  report.h  utils.h
bootp.o  configfile.o  daemonize.o  dhcp_probe  dhcp_probe.o  get_myeaddr.o  get_myipaddr.o  Makefile.in  open_max.o  report.o  utils.o

En doc están los man de dhcp_probe.

[gomix@fricky dhcp_probe-1.3.0]$ ls doc/
dhcp_probe.8  dhcp_probe.cf.5  Makefile  Makefile.am  Makefile.in

Primera ejecución¶

Aún sin instalar los archivos en el sistema ya podemos ejecutar el binario.

[root@fricky src]# ./dhcp_probe 
Usage: dhcp_probe [-c config_file] [-d debuglevel] [-f] [-h] [-l log_file] [-o capture_file] [-p pid_file] [-Q vlan_id] [-s capture_bufsize] [-T] [-v] [-w cwd] interface_name
   -c config_file                 override default config file [/etc/dhcp_probe.cf]
   -d debuglevel                  enable debugging at specified level
   -f                             don't fork (only use for debugging)
   -h                             display this help message then exit
   -l log_file                    log to file instead of syslog
   -o capture_file                enable capturing of unexpected answers
   -p pid_file                    override default pid file [/var/run/dhcp_probe.pid]
   -Q vlan_id                     tag outgoing frames with an 802.1Q VLAN ID
   -s capture_bufsize             override default capture bufsize [30280]
   -T                             enable the socket receive timeout feature
   -v                             display version number then exit
   -w cwd                         override default working directory [/]
   interface_name                 name of ethernet interface
note:   exiting

Copia de dhcp_probe.cf de muestra:

[root@fricky dhcp_probe-1.3.0]# cp extras/dhcp_probe.cf.sample /etc/
[root@fricky dhcp_probe-1.3.0]# mv /etc/dhc
dhclient-eth1.conf    dhcp/                 dhcpd.conf.rpmsave    dhcp_probe.cf.sample  
[root@fricky dhcp_probe-1.3.0]# mv /etc/dhc
dhclient-eth1.conf    dhcp/                 dhcpd.conf.rpmsave    dhcp_probe.cf.sample  
[root@fricky dhcp_probe-1.3.0]# mv /etc/dhcp_probe.cf.sample /etc/dhcp_probe.cf

Hace falta agregar la interface para ejecutar:

[root@fricky src]# ./dhcp_probe eth1
[root@fricky src]# ps aux | grep dhcp_probe
root      3378  0.0  0.0   2248   924 ?        S    07:02   0:00 ./dhcp_probe eth1
root      3383  0.0  0.0   4232   764 pts/0    S+   07:03   0:00 grep dhcp_probe

Registros/logs¶

Ya podemos ver en nuestros registros de actividad del sistema el hecho de que al menos dhcp_probe está funcionando.

Mar 16 07:02:52 fricky dhcp_probe[3378]: starting, version 1.3.0
Mar 16 07:02:52 fricky dhcp_probe[3378]: received unexpected response on interface eth1 from BootP/DHCP server with IP source 172.17.16.241 (ether src 0:90:1a:a0:f4:f2).
Mar 16 07:03:00 fricky dhcp_probe[3378]: received unexpected response on interface eth1 from BootP/DHCP server with IP source 172.17.16.241 (ether src 0:90:1a:a0:f4:f2).
Mar 16 07:03:00 fricky dhcp_probe[3378]: received unexpected response on interface eth1 from BootP/DHCP server with IP source 172.17.16.241 (ether src 0:90:1a:a0:f4:f2).

Revisando un poco, parece que dhcp_probe ya ha encontrado un servidor dhcp no autorizado, abajo los registros de dhclient acerca de la identificación del servidor dhcp.

[root@fricky src]# grep dhcp-server-identifier /var/lib/dhclient/*
/var/lib/dhclient/dhclient-9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04-eth1.lease:  option dhcp-server-identifier 200.109.126.42;
/var/lib/dhclient/dhclient-9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04-eth1.lease:  option dhcp-server-identifier 200.109.126.42;
/var/lib/dhclient/dhclient-9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04-eth1.lease:  option dhcp-server-identifier 200.109.126.42;
/var/lib/dhclient/dhclient-9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04-eth1.lease:  option dhcp-server-identifier 200.109.126.42;
/var/lib/dhclient/dhclient-9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04-eth1.lease:  option dhcp-server-identifier 200.109.126.42;
/var/lib/dhclient/dhclient-9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04-eth1.lease:  option dhcp-server-identifier 200.109.126.42;
/var/lib/dhclient/dhclient-9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04-eth1.lease:  option dhcp-server-identifier 200.109.126.42;
/var/lib/dhclient/dhclient-9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04-eth1.lease:  option dhcp-server-identifier 200.109.126.42;
/var/lib/dhclient/dhclient-9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04-eth1.lease:  option dhcp-server-identifier 200.109.126.42;
/var/lib/dhclient/dhclient-9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04-eth1.lease:  option dhcp-server-identifier 200.109.126.42;
/var/lib/dhclient/dhclient-9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04-eth1.lease:  option dhcp-server-identifier 200.109.126.42;
/var/lib/dhclient/dhclient-9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04-eth1.lease:  option dhcp-server-identifier 200.109.126.42;
/var/lib/dhclient/dhclient-9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04-eth1.lease:  option dhcp-server-identifier 200.109.126.42;
/var/lib/dhclient/dhclient-9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04-eth1.lease:  option dhcp-server-identifier 200.109.126.42;
/var/lib/dhclient/dhclient-9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04-eth1.lease:  option dhcp-server-identifier 200.109.126.42;
/var/lib/dhclient/dhclient-9c92fad9-6ecb-3e6c-eb4d-8a47c6f50c04-eth1.lease:  option dhcp-server-identifier 200.109.126.42;
/var/lib/dhclient/dhclient-eth1.leases:  option dhcp-server-identifier 200.109.126.42;
/var/lib/dhclient/dhclient-eth1.leases:  option dhcp-server-identifier 200.109.126.42;

Deteniendo el programa:

[root@fricky src]# pkill dhcp_probe
[root@fricky src]# tail /var/log/messages
Mar 16 07:02:52 fricky dhcp_probe[3378]: starting, version 1.3.0
Mar 16 07:02:52 fricky dhcp_probe[3378]: received unexpected response on interface eth1 from BootP/DHCP server with IP source 172.17.16.241 (ether src 0:90:1a:a0:f4:f2).
Mar 16 07:03:00 fricky dhcp_probe[3378]: received unexpected response on interface eth1 from BootP/DHCP server with IP source 172.17.16.241 (ether src 0:90:1a:a0:f4:f2).
Mar 16 07:03:00 fricky dhcp_probe[3378]: received unexpected response on interface eth1 from BootP/DHCP server with IP source 172.17.16.241 (ether src 0:90:1a:a0:f4:f2).
Mar 16 07:08:00 fricky dhcp_probe[3378]: received unexpected response on interface eth1 from BootP/DHCP server with IP source 172.17.16.241 (ether src 0:90:1a:a0:f4:f2).
Mar 16 07:08:10 fricky dhcp_probe[3378]: received unexpected response on interface eth1 from BootP/DHCP server with IP source 172.17.16.241 (ether src 0:90:1a:a0:f4:f2).
Mar 16 07:08:10 fricky dhcp_probe[3378]: received unexpected response on interface eth1 from BootP/DHCP server with IP source 172.17.16.241 (ether src 0:90:1a:a0:f4:f2).
Mar 16 07:09:05 fricky dhcp_probe[3378]: exiting

Ejecución enfrente y modo depuración¶

Ahora ejecutemos sin permitir que se vaya al fondo (background) y que nos ofrezca el máximo de detalles de depuración:

[root@fricky src]# ./dhcp_probe -f -d 11 eth1
note:   starting, version 1.3.0
info:   read_configfile: starting
info:   read_configfile: done
info:   using interface eth1, no 802.1Q (IP address 200.109.184.59, hardware address 0:1d:92:d8:a7:ce)
debug:  starting new cycle
debug:  writing packet 4
debug:  listening for answers for 5000 milliseconds
debug:     captured a packet
debug:       interface eth1, from ether 0:90:1a:a0:f4:f2 to ff:ff:ff:ff:ff:ff
debug:       from IP 172.17.16.241 to 255.255.255.255
debug:       ip_src 172.17.16.241 is not a legal server
warn:   received unexpected response on interface eth1 from BootP/DHCP server with IP source 172.17.16.241 (ether src 0:90:1a:a0:f4:f2).
debug:  done listening, captured 1 packets
debug:  writing packet 3
debug:  listening for answers for 5000 milliseconds
debug:  done listening, captured 0 packets
debug:  writing packet 2
debug:  listening for answers for 5000 milliseconds
debug:  done listening, captured 0 packets
debug:  writing packet 1
debug:  listening for answers for 5000 milliseconds
debug:     captured a packet
debug:       interface eth1, from ether 0:90:1a:a0:f4:f2 to ff:ff:ff:ff:ff:ff
debug:       from IP 172.17.16.241 to 255.255.255.255
debug:       ip_src 172.17.16.241 is not a legal server
warn:   received unexpected response on interface eth1 from BootP/DHCP server with IP source 172.17.16.241 (ether src 0:90:1a:a0:f4:f2).
debug:  done listening, captured 1 packets
debug:  writing packet 0
debug:  listening for answers for 5000 milliseconds
debug:     captured a packet
debug:       interface eth1, from ether 0:90:1a:a0:f4:f2 to ff:ff:ff:ff:ff:ff
debug:       from IP 172.17.16.241 to 255.255.255.255
debug:       ip_src 172.17.16.241 is not a legal server
warn:   received unexpected response on interface eth1 from BootP/DHCP server with IP source 172.17.16.241 (ether src 0:90:1a:a0:f4:f2).
debug:  done listening, captured 1 packets
debug:  cycle complete, going to sleep for 300 seconds

Al ejecutar en modo debug en mi laptop.

[root@bazzinga-xps src]# ./dhcp_probe -f -d 10 eth0
note:   starting, version 1.3.0
info:   read_configfile: starting
info:   read_configfile: done
info:   using interface eth0, no 802.1Q (IP address 190.184.41.179, hardware address 0:26:b9:9:84:a6)
warn:   received unexpected response on interface eth0 from BootP/DHCP server with IP source 10.10.32.1 (ether src 0:4:de:a1:4:70).
warn:   received unexpected response on interface eth0 from BootP/DHCP server with IP source 10.10.32.1 (ether src 0:4:de:a1:4:54).
warn:   received unexpected response on interface eth0 from BootP/DHCP server with IP source 10.10.32.1 (ether src 0:4:de:a1:4:54).
warn:   received unexpected response on interface eth0 from BootP/DHCP server with IP source 10.10.32.1 (ether src 0:4:de:a1:4:54).
warn:   received unexpected response on interface eth0 from BootP/DHCP server with IP source 10.10.32.1 (ether src 0:4:de:a1:4:70).
warn:   received unexpected response on interface eth0 from BootP/DHCP server with IP source 10.10.32.1 (ether src 0:4:de:a1:4:54).
warn:   received unexpected response on interface eth0 from BootP/DHCP server with IP source 10.10.32.1 (ether src 0:4:de:a1:4:54).
warn:   received unexpected response on interface eth0 from BootP/DHCP server with IP source 10.10.32.1 (ether src 0:4:de:a1:4:54)

Otros paquetes¶

• Debian http://packages.qa.debian.org/d/dhcp-probe.html