On 08/16/12 9:24 PM, Bobby wrote:
> On 08/17/2012 12:20 AM, John R Pierce wrote:
>
>> >the MAC address prefix on that DHCP thing is 00:23:EB which is
>> >Cisco... and yes, ISP's frequently use private IP space for internal
>> >gateway networks. they aren't routable on the public internet, they
>> >don't have to be, they are just used for routes within the ISP's WAN.
> Yup looks like the ISP is checking to see who's on.
you might just try something like...
tcpdump -i eth0 -w udpdump.txt udp port 67 or udp port 68
and let that run for a few minutes, long enough to capture a few of
these packets, then ctl-C it, and take that dumpfile and load it into
wireshark (can do that on any system wireshark runs on) and see what it
decodes the dhcp packets to actually be.
for instance, this is a DHCP 'renew' request (from the LAN side of my
gateway)...
# tcpdump -i eth1 -vvv -n udp port 67 or udp port 68
tcpdump: listening on eth1
21:46:46.009596 192.168.0.136.bootpc > 192.168.0.1.bootps:
xid:0x9fb275f6 C:192.168.0.136 [|bootp] (ttl 128, id 31970, len 339)
21:46:46.013544 192.168.0.1.bootps > 192.168.0.136.bootpc:
xid:0x9fb275f6 C:192.168.0.136 Y:192.168.0.136 S:192.168.0.1 [|bootp]
(ttl 64, id 16362, len 328)
2 packets received by filter
0 packets dropped by kernel
wireshark will do a much better job explaining the packets than tcpdump
does.
--
john r pierce N 37, W 122
santa cruz ca mid-left coast