1DHCP_PROBE.CF(5) File Formats Manual DHCP_PROBE.CF(5)
2
3
4
6 dhcp_probe.cf - configuration file for dhcp_probe
7
9 /etc/dhcp_probe.cf
10
12 The file /etc/dhcp_probe.cf contains configuration information used by
13 the dhcp_probe(8) daemon. dhcp_probe reads the file when it begins
14 (and whenever it receives a SIGHUP signal).
15
16 The location of this file defaults to /etc/dhcp_probe.cf, but may be
17 overridden by a command-line option to dhcp_probe(8).
18
19 The file consists of a series of statements, one per line. Each state‐
20 ment begins with a keyword followed by one or more arguments (depending
21 on the keyword); keywords and arguments are separated by spaces or
22 tabs. Statements may be specified in any order.
23
24 Some keywords take an ethernet-address argument. Ethernet address val‐
25 ues must be written in a form that ether_aton(3) recognizes; e.g.
26 1:2:3:4:5:6 or 00:A5:b2:0:BB:c.
27
28 Some keywords take an ip-address as a value. IP address values must be
29 written in a form that inet_aton(3) recognizes; e.g. 192.168.1.2.
30
31 Blank lines are ignored. Lines for which the first non-blank character
32 is a '#' are treated as comments. Trailing comments on statements are
33 not supported.
34
35 Because all presently-defined keywords are optional, the file may be
36 empty, however, it must exist.
37
39 The keywords are as follows:
40
41 chaddr
42 The chaddr statement is optional, and is used to specify the
43 value of the chaddr field in the request packets sent by the
44 program. This value is also used to compute the DHCP Client
45 Identifier option in some of the request packets sent by the
46 program (by prepending x'01').
47
48 Specify:
49
50 chaddr ethernet-address
51
52 If not specified, this value defaults to the Ethernet address
53 corresponding to the interface you specified on the commandline.
54
55 You might want to use the chaddr statement if the interface is
56 also a DHCP client, so that sending requests with the inter‐
57 face's own chaddr/DHCP Client Identifier will not interfere with
58 that functionality.
59
60 If you specify a value, be sure to specify a unicast Ethernet
61 address that does not belong to any valid client on your net‐
62 work.
63
64 Correctly-functioning BootP and DHCP servers that respond will
65 send any responses to the chaddr address, or in some cases, to
66 the Ethernet broadcast address. Therefore, if you specify a
67 value here (and it differs from your interface's Ethernet
68 address), the program will have to place the interface into pro‐
69 miscuous mode to be sure it hears unicast responses.
70
71 Note that the chaddr value does not affect the Ethernet source
72 address of the Ethernet frames sent by the program.
73
74 If you specify this value, you may also wish to specify the same
75 value in the ether_src statement. See the description of that
76 statement for further discussion.
77
78 ether_src
79 The ether_src statement is optional, and is used to specify the
80 value of the ether_src field in the Ethernet frames sent by the
81 program.
82
83 Specify:
84
85 ether_src ethernet-address
86
87 If not specified, this value defaults to the Ethernet address
88 corresponding to the interface you specified on the commandline.
89
90 If you specify a value, be sure to specify a unicast Ethernet
91 address that does not belong to any valid client on your net‐
92 work.
93
94 Note that this value does not affect the chaddr field or the
95 DHCP Client Identifier option field in request packets sent by
96 the program.
97
98 If you specified a chaddr value, you may also wish to specify an
99 equal ether_src value. While not strictly necessary, doing so
100 will cause any Layer 2 switches on the network to learn that
101 this hardware address is on your leg of the network, so they
102 will not need to flood response packets directed to that hard‐
103 ware address, but instead can direct the response packets only
104 to your leg of the network.
105
106 Additionally, specifying the same ether_src value could help you
107 discover any buggy BootP or DHCP servers that mistakenly direct
108 their responses to the sender's ether_src (instead of to the
109 sender's bootp_chaddr).
110
111 server_id
112 The server_id statement is optional, and is used to specify the
113 value of the DHCP Server Identifer option in some of the request
114 packets sent by the program.
115
116 Specify:
117
118 server_id ip-address
119
120 If not specified, this value defaults to 10.254.254.254.
121
122 The DHCP Server Identifer option appears in the packets the pro‐
123 gram sends when it mimics a DHCP client in the SELECTING state.
124
125 It's best that the DHCP Server Identifier option the program
126 uses not match the IP address of any valid DHCP server on your
127 network, to avoid confusing them. Other than that, any IP
128 address is a reasonable value; you may wish to specify one that
129 could never be a valid address on your network.
130
131 client_ip_address
132 The client_ip_address statement is optional, and is used to
133 specify the IP address that the program should request, or claim
134 to have a lease on.
135
136 Specify:
137
138 client_ip_address ip-address
139
140 If not specified, this value defaults to 172.31.254.254.
141
142 When the program generates a DHCPREQUEST packet that mimics a
143 DHCP client that is in the INIT-REBOOT or SELECTING state, the
144 packet contains a Requested IP Address option containing this
145 value. When the program generates a DHCPREQUEST packet that
146 mimics a DHCP client that is in the REBINDING state, the packet
147 contains a ciaddr field containing this value.
148
149 It's best that the value the program uses not match the IP
150 address of any valid DHCP client on your network, to avoid con‐
151 fusing valid DHCP servers.
152
153 It's extremely useful if the value the program uses not be valid
154 (topologically speaking) for the physical network on which the
155 program sends the packets. Sending a topologically inappropri‐
156 ate value may stimulate some DHCP servers to respond with a
157 DHCPNAK, which helps the program flush out DHCP servers.
158
159 response_wait_time
160 The response_wait_time statement is optional, and is used to
161 specify how long the program should wait for responses after
162 sending a single request packet.
163
164 Specify
165
166 response_wait_time num_milliseconds
167
168 If not specified, this value defaults to 5000 milliseconds (5
169 seconds).
170
171 The value is specified in milliseconds, and must fit into an
172 'int' on your host. (Values larger than an 'int' may be
173 silently misinterpreted.) Typical values are on the order of a
174 few thousand milliseconds; i.e. several seconds.
175
176 cycle_time
177 The cycle_time statement is optional, and is used to specify how
178 long the program should sleep between each probe cycle.
179
180 Specify
181
182 cycle_time num_seconds
183
184 If not specified, this value defaults to 300 seconds.
185
186 The value is specified in seconds, and must into into an
187 'unsigned int' on your host. (Values larger than an 'unsigned
188 int' may be silently misinterpreted.) Typical valus range from
189 several hundred to several thousand seconds (i.e. several min‐
190 utes to several hours).
191
192 During each probe cycle, the program sends one of the request
193 packet flavors, captures any responses that arrive during the
194 response_wait_time, then repeats this for each of the other
195 request packet flavors. After doing this for each flavor of
196 request packet, the probe cycle is complete, and the program
197 sleeps for the cycle_time.
198
199 legal_server
200 The legal_server statement is optional, and is used to specify
201 the IP source address of responses that come from a legal BootP
202 or DHCP server on your network. The statement may be specified
203 multiple times.
204
205 Specify
206
207 legal_server ip-address
208
209 If not specified, the program assumes there are no legal BootP
210 and DHCP servers on your network; all responses will be treated
211 as coming from an unknown DHCP server.
212
213 When the program receives a response packet, it compares the
214 packet's IP source address to all the addresses you have speci‐
215 fied in legal_server statements. If the IP source address
216 matches one of these values, the response is deemed to have come
217 from a known DHCP server, and is ignored. If the IP source
218 address does not match any of these values (or you do not spec‐
219 ify any legal_server), then the program logs a message that
220 reports the packet's IP source address and Ethernet source
221 address. Additionally, if the program was started with the -o
222 commandline option, the packet is also written to a packet cap‐
223 ture file.
224
225 If both legal_server and legal_server_ethersrc statements
226 appear, then a response must have both a valid IP source and a
227 valid ethernet source to be considered to have come from a known
228 DHCP server.
229
230 When relaying a response from a server to a client, some BootP
231 Relay Agents may change the response's IP source address,
232 replacing the server's IP address with that of the BootP Relay
233 Agent. If BootP Relay Agents on your network do this, you will
234 need to specify their IP addresses here instead.
235
236 legal_server_ethersrc
237 The legal_server_ethersrc statement is optional, and is used to
238 specify the Ethernet source address of responses that come from
239 a legal BootP or DHCP server on your network. The statement may
240 be specified multiple times.
241
242 Specify
243
244 legal_server_ethersrc ethernet-address
245
246 If not specified, the program does not check the Ethernet source
247 address of responses.
248
249 If you have specified at least one legal_server_ethersrc value,
250 when the program receives a response packet, the program com‐
251 pares the packet's Ethernet source address to all the addresses
252 you have specified in legal_server_ethersrc statements. If the
253 Ethernet source does not match one of these values, the response
254 is deemed to have come from an unknown DHCP server; the program
255 logs a message that reports the packet's IP source address and
256 Ethernet source address. Additionally, if the program was
257 started with the -o commandline option, the packet is also writ‐
258 ten to a packet capture file.
259
260 If both legal_server and legal_server_ethersrc statements
261 appear, then a response must have both a valid IP source and a
262 valid ethernet source to be considered to have come from a known
263 DHCP server.
264
265 Each router on the path from the DHCP server to the DHCP client
266 will overwrite the Ethernet source address field. So if you
267 specify any legal_server_ethersrc statements, also list the Eth‐
268 ernet source value(s) for the last hop router(s). A BootP Relay
269 Agent on the path from the DHCP server to the DHCP client will
270 overwrite the Ethernet field. So also list the Ethernet source
271 value(s) for the BootP Relay Agent. (The BootP Relay Agent is
272 often co-resident in the last-hop IP router, so you may have
273 already taken care of this when you listed the last-hop
274 router(s).
275
276 The legal_server_ethersrc statement is considered experimental
277 in version 1.3.0, as it has received only limited testing.
278
279 lease_network_of_concern
280 The lease_network_of_concern statement is optional, and may be
281 specified multiple times. The statement is used to specify one
282 or more network ranges that are of concern relative to the IP
283 addresses distributed by a rogue BootP/DHCP server.
284
285 Specify
286
287 lease_network_of_concern network-ip-address network-mask
288
289 Specifying one or more lease_network_of_concern statements acti‐
290 vates the "Lease Networks of Concern" feature.
291
292 When the program receives a response packet that it determines
293 to be from a rogue BootP/DHCP server, if the "Lease Networks of
294 Concern" feature is active, the program will examine the packet
295 further. If the packet's yiaddr field is non-zero, the value in
296 that field is tested to see if it falls within any of the
297 "Leases Networks of Concern." If it does, then the message the
298 program logs is extended to also report this fact, and to
299 include the value of the yiaddr field. Furthermore, if an
300 alert_program_name2 was specified, when that program is called,
301 it is called with an additional -y yiaddr option. (This is not
302 supported if an alert_program_name was specified, as the older
303 alert_program_name uses a syntax that cannot be extended.)
304
305 The "Lease Networks of Concern" feature does not change the way
306 the program probes for or detects rogue BootP/DHCP servers.
307 Upon detection of a rogue BootP/DHCP server, the feature only
308 may cause additional information to be added to the message
309 logged (and passed to alert_program_name2).
310
311 This feature may be used, for example, by specifying your net‐
312 works' legitimate address ranges as "Lease Networks of Concern".
313 While most rogue BootP/DHCP servers distribute private IP
314 addresses, or send DHCPNAKs to legitimate clients, other more
315 damaging rogue BootP/DHCP servers may distribute IP addresses
316 that fall within your legitimate network ranges. This will help
317 differentiate those more damaging incidents from the more common
318 ones.
319
320 alert_program_name
321 The alert_program_name statement is optional, and may be used to
322 specify the name of an external program that should be run every
323 time a response packet is received from an unexpected server.
324
325 Note that using the newer alert_program_name2 statement is pre‐
326 ferrable.
327
328 Specify
329
330 alert_program_name /absolute/path/name
331
332 Unexpected response packets are reported as a matter of course,
333 and optionally written to a packet capture file. You may use an
334 alert_program_name to provide additional handling of the event,
335 for example, to alert an appropriate party via mail or paging.
336 The alert_program_name you specify is called with four arguments
337 in the following order: the name of the calling program (e.g.
338 dhcp_probe), the name of the interface on which the unexpected
339 response packet was received, the IP source address of the
340 packet, and the Ethernet source address of the packet.
341
342 As the alert_program_name is called with the same privileges as
343 dhcp_probe (i.e. root), you should exercise caution to ensure
344 that the alert program is safe for a privileged user to execute.
345
346 Because the syntax supported by the external program is not
347 extensible, the use of alert_program_name2 is preferrable.
348
349 You may not specify both alert_program_name and alert_pro‐
350 gram_name2.
351
352 alert_program_name2
353 The alert_program_name2 statement is optional, and may be used
354 to specify the name of an external program that should be run
355 every time a response packet is received from an unexpected
356 server.
357
358 Specify
359
360 alert_program_name2 /absolute/path/name
361
362 Unexpected response packets are reported as a matter of course,
363 and optionally written to a packet capture file. You may use an
364 alert_program_name2 to provide additional handling of the event,
365 for example, to alert an appropriate party via mail or paging.
366 The alert_program_name2 you specify is called with the following
367 required options:
368
369 -p the name of the calling program (e.g. dhcp_probe),
370 -I the name of the interface on which the unexpected response packet was received
371 -i the IP source address of the packet
372 -m Ethernet source address of the packet
373
374 The following non-required options may also be passed:
375
376 -y the non-zero yiaddr value from the packet, when it falls inside a "Lease Network of Concern"
377
378 The alert_program_name2 program you specify must ignore options
379 or arguments it does not recognize; this is to ensure it remains
380 forward-compatible with future enhancements to dhcp_probe. It
381 must be prepared to accept options in any order.
382
383 As the alert_program_name2 is called with the same privileges as
384 dhcp_probe (i.e. root), you should exercise caution to ensure
385 that the alert program is safe for a privileged user to execute.
386
387 You may not specify both alert_program_name and alert_pro‐
388 gram_name2.
389
391 An example /etc/dhcp_probe.cf file follows:
392
393 # dhcp_probe.cf: config file for dhcp_probe
394 #
395 # General syntax:
396 # Comment lines start with '#' (trailing comments not permitted).
397 # Blank lines are OK.
398 # Tokens within a line should be separated with spaces and/or tabs.
399 # Entries in the file may be in any order.
400 # Any 'ethernet-address' must be written in a form that ether_aton(3) recognizes; e.g.
401 # 1:2:3:4:5:6 00:A5:b2:0:BB:c
402 # Any 'ip-address' must be written in a form that inet_aton(3) recognizes; e.g.
403 # 192.168.1.2
404 #
405 # ----------------------------------------------------------------------------------
406 #
407 # CLIENT HARDWARE ADDRESS
408 #
409 # By default, for the 'chaddr' field in the BootP header, we use the Ethernet
410 # address corresponding to the interface you specified.
411 # We also use this value to compute the DHCP Client Identifier option (by prepending x'01').
412 # You may optionally override this value.
413 # (Note that this does not override the Ethernet Src address in the Ethernet frame we send.)
414 #
415 # You might want to do this if our interface is also a DHCP client, so
416 # sending requests with the interface's own chaddr/DHCP Client Identifier would interfere with
417 # that functionality.
418 #
419 # If you specify a value, be sure to specify an Ethernet address that does not belong to
420 # any valid client on your network. Be sure to specify a unicast Ethernet address.
421 #
422 # Syntax:
423 # chaddr enet-addr
424
425 chaddr 0:0:0:1:2:3
426
427
428 # ----------------------------------------------------------------------------------
429 #
430 # ETHERNET SOURCE ADDRESS
431 #
432 # By default, for the 'ether_shost' field in the Ethernet header, we use the Ethernet
433 # address corresponding to the interface you specified.
434 # You may optionally override this value.
435 # (Note that this does not override the 'chaddr' in the BootP header, nor the DHCP Client Identifier.)
436 #
437 # If you are specify the 'chaddr' statement, you might want to also do this, so you don't miss buggy
438 # DHCP servers that respond (incorrectly) to ether_src instead of to chaddr.
439 #
440 # If you specify a value, be sure to specify an Ethernet address that does not belong to
441 # any valid client on your network. Be sure to specify a unicast Ethernet address.
442 #
443 # Syntax:
444 # ether_src enet-addr
445
446 ether_src 0:0:0:1:2:3
447
448
449 # ----------------------------------------------------------------------------------
450 #
451 # DHCP SERVER IDENTIFIER
452 #
453 # When we generate a DHCPREQUEST packet corresponding to a client that is in the SELECTING
454 # state, the options field must contain a 'DHCP Server Identifier' option, indicating the
455 # IP address of the DHCP server the client is selecting. It's best that the value we use
456 # not match the IP address of any valid DHCP server, to avoid confusing them. The program
457 # provides a default value of 10.254.254.254, which you may override here.
458 #
459 # Syntax:
460 # server_id ip-addr
461
462 server_id 10.1.2.3
463
464 # ----------------------------------------------------------------------------------
465 #
466 # CLIENT IP ADDRESS
467 #
468 # When we generate a DHCPREQUEST packet corresponding to a client that is in the INIT-REBOOT
469 # or SELECTING state, the options field must containg a 'Requested IP Address' option, indicating
470 # the IP address the client is requesting. When we generate a DHCPREQUEST packet corresponding
471 # to a client that is in the REBINDING state, the 'ciaddr' field in the BootP header must contain
472 # the IP address that the DHCP client presently has leased and wishes to renew.
473 #
474 # In all these cases, it's best that the value we use not match the IP address of any valid DHCP client,
475 # to avoid confusing the valid DHCP servers.
476 #
477 # Furthermore, it is extremely useful if the value we use *not* be valid (topologically speaking) for the
478 # physical network on which we send the packets. Sending a topologically inappropriate value
479 # may stimulate some DHCP servers to respond with a DHCPNAK, which helps us flush out DHCP servers.
480 # (This will probably happen only in response to the packets we sending when pretending to be in REBINDING state.)
481 #
482 # The program provides a default value of 172.31.254.254, which you may override here.
483 #
484 # Syntax:
485 # client_ip_address ip-addr
486
487 # client_ip_address 172.31.254.254
488
489 # ----------------------------------------------------------------------------------
490 #
491 # RESPONSE WAIT TIME
492 #
493 # After sending one packet, we wait for responses. The length of time we wait
494 # is the 'response_wait_time'. The program provides a default value of 5000, which you
495 # may override here. The value is measured in milliseconds, and must fit into
496 # an 'int' on your host. (Values larger than an 'int' may be silently misinterpreted.)
497 # Typical values are on the order of a few thousand milliseconds; i.e. several seconds.
498 #
499 # Syntax:
500 # response_wait_time num_milliseconds
501
502 # response_wait_time 5000
503
504 # ----------------------------------------------------------------------------------
505 #
506 # CYCLE WAIT TIME
507 #
508 # For each flavor packet, we send the packet and listen for responses to that packet.
509 # After doing this for all flavor packets, we go to sleep for the "cycle_time",
510 # then repeat the process. The program provides a default value of 300, which you
511 # may override here. The value is measured in seconds, and must fit into an
512 # 'unsigned int' on your host. (Values larger than an 'unsigned int' may be silently
513 # misinterpreted.) Typical valus range from several hundred to several thousand
514 # seconds (i.e. several minutes to several hours).
515 #
516 # Syntax:
517 # cycle_time num_seconds
518
519 cycle_time 1200
520
521 # ----------------------------------------------------------------------------------
522 #
523 # LEGAL SERVERS' IP SOURCE ADDRESSES
524 #
525 # After sending one packet, we wait for responses. Responses from legal BootP or DHCP
526 # servers are ignored; presumably you aren't interesting in discovering them.
527 # Specify a legal server's IP source address with the 'legal_server' statement.
528 # The value you specify is compared to the IPsrc field in each response's IP header.
529 #
530 # If you have multiple legal servers, specify each in a separate statement.
531 # If your BootP Relay Agents overwrite the server's IP address in the IPsrc field
532 # with their own IP addresses, you will need to list the IP addresses of the
533 # BootP Relay Agents.
534 #
535 # Alternatively, do not specify any legal_server statements at all, so *no* responses
536 # will be considered legal.
537 # (This is different from the way legal_server_ethersrc statements are handled.)
538 #
539 # If both legal_server and legal_server_ethersrc statements appear, then a response
540 # must have both a valid IP source and a valid ethernet source to be considered legal.
541 #
542 # Syntax:
543 # legal_server ip-addr
544
545 legal_server 192.168.1.2
546 legal_server 192.168.3.4
547
548 # ----------------------------------------------------------------------------------
549 #
550 # LEGAL SERVERS' ETHERNET SOURCE ADDRESSES
551 #
552 # Specify a legal server's Ethernet source address with the 'legal_server_ethersrc' statement.
553 # The value you specify is compared to the ethernet_src field in each response's IP header.
554 #
555 # If you have multiple legal ethernet sources, specify each in a separate statement.
556 # Each router on the path from the DHCP server to the DHCP client will overwrite
557 # the ethernet_src field. So also list the ethernet_src value(s) for the last hop router(s).
558 # The BootP Relay Agent on the path from the DHCP server to the DHCP client will overwrite
559 # the ethernet_src field. So also list the ethernet_src value(s) for the BootP Relay Agent.
560 # (This is often co-resident in the last-hop IP router, so you may have already taken care
561 # of this when you listed the last-hop router(s).
562 #
563 # Alternatively, do not specify any legal_server_ethersrc statements at all.
564 # If none are specified, then all ethernet_src values are considered legal.
565 # (This is different from the way legal_server statements are handled.)
566 #
567 # If both legal_server and legal_server_ethersrc statements appear, then a response
568 # must have both a valid IP source and a valid ethernet source to be considered legal.
569 #
570 # Syntax:
571 # legal_server_ethersrc enet-addr
572
573 # legal_server_ethersrc 0:2:4:ab:cd:ef
574 # legal_server_ethersrc 0:17:30:1:0A:3
575
576 # ----------------------------------------------------------------------------------
577 #
578 # ALERT PROGRAM NAME
579 #
580 # In addition to logging a response received from an unexpected server, we will optionally
581 # call a user-specified 'alert program' if one is specified here. To use this feature,
582 # specify the absolute pathname of a program we should execute for each unexpected response.
583 # Either specify it using the older 'alert_program_name' statement, or (preferrably) using
584 # the newer 'alert_program_name2' statement. (The newer statement is preferrable because
585 # it calls the alert program with a more extensible syntax.) You may not specify
586 # both alert_program_name and alert_program_name2.
587 #
588 # Old style alert program:
589 #
590 # Syntax:
591 # alert_program_name /absolute/path/name
592 #
593 # The program specified via 'alert_program_name' will be called as follows:
594 # /absolute/path/name name_of_calling_program name_of_interface_on_which_the_response_was_received IP_source_of_the_response ether_src_of_the_response
595 #
596 #
597 # Newer style alert program:
598 #
599 # Syntax:
600 # alert_program_name2 /absolute/path/name
601 #
602 # The program specified via 'alert_program_name2' will be called as follows:
603 # /absolute/path/name -p name_of_calling_program -I name_of_interface_on_which_the_response_was_received -i IP_source_of_the_response -m ether_src_of_the_response [-y yiaddr_when_in_lease_networks_of_concern]
604 # The options may appear in any order.
605 # The program must silently ignore any options or arguments it does not recognize,
606 # so as to be forward-compatible with future enhancements to dhcp_probe.
607
608
609 alert_program_name2 /usr/local/etc/dhcp_probe_notify2
610
611
612 # ----------------------------------------------------------------------------------
613 #
614 # LEASE NETWORKS OF CONCERN
615 #
616 # Optionally define one or more network ranges that are to be treated as
617 # being of special concern when a rogue BootP/DHCP server is detected sending response
618 # that contains a 'yiaddr' value that falls into any of these ranges.
619 # Specify each such network ranges of concern in a separate statement.
620 # When the yiaddr value in a rogue server's response falls into any of these ranges,
621 # the message logged will contain additional text remarking on this fact.
622 # And if an alert_program_name2 is used, that alert program
623 # will be called with an extra option so it can also act on that fact.
624 #
625 # If you specify all your networks' legitimate IP ranges, this can help you
626 # take additional notice of rogue BootP/DHCP servers that distribute *your*
627 # network addresess, rather than simply distribute private IP address or
628 # send DHCPNAKs to legitimate clients.
629 #
630 # Syntax:
631 # lease_network_of_concern IP-network-address network-mask
632
633
634 lease_network_of_concern 128.112.0.0 255.255.0.0
635 lease_network_of_concern 140.180.0.0 255.255.0.0
636
637
638
639
641 dhcp_probe(8)
642
643
644
645Princeton Univ. Mar 9 2009 DHCP_PROBE.CF(5)