This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello Guys

I'm troubleshooting an issue where boop server responses are being dropped at some point in the topology In a capture taken from the interface where the bootp server is attached I see the below message:

428 Unknown BOOTP message type (0) [Malformed Packet]

I'm guessing it means corruption but can any of you let me know what it means o where can I find more information about it.

Thanks

asked 26 Jan '17, 08:30

JuniperGuy's gravatar image

JuniperGuy
6113
accept rate: 0%


The BOOTP protocol, as described by RFC 951, has an opcode field in it; the RFC specifies that it can either have the value 1 for a request and 2 for a reply. 0 is not a valid value for the opcode, so Wireshark reports the packet as having an unknown message type.

RFC 2131 describes DHCP; section 3 "The Client-Server Protocol" says

 DHCP uses the BOOTP message format defined in RFC 951 and given in
 table 1 and figure 1.  The 'op' field of each DHCP message sent from
 a client to a server contains BOOTREQUEST. BOOTREPLY is used in the
'op' field of each DHCP message sent from a server to a client.

so, again, the only valid opcode values are 1 and 2.

Either a client is sending out a BOOTP/DHCP message with an invalid opcode, and no server is sending a reply to that, or the server is sending out the message with the invalid opcode, and the client is ignoring it.

permanent link

answered 26 Jan '17, 20:46

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

BOOTP is the Wireshark name for DHCP. Both protocols run on the same UDP ports (67 and 68). DHCP is based on the BOOTP frame format and added a few option.

A DHCP or BOOTP message starts with a fixed block of parameters and is followed by a series of options. Each option is a tuple of a numeric identifier, a length and a value field.

Virtually every DHCP message should have the option 53 present. This is the message type. The majority of DHCP frames have a types of Discover, Offer, Request or Acknowledge, but there are more.

The error message indicates that the dissector encountered the option number 0. As Wireshark does not know about this option number you get your error message.

Either the frame was corrupted during transmission or the sender (or DHCP relay agent) has a bug in it's DHCP implementation. A tracefile or at least screenshot would grately aid my curiosity.

Good hunting.

permanent link

answered 26 Jan '17, 11:10

packethunter's gravatar image

packethunter
2.1k71548
accept rate: 8%

edited 26 Jan '17, 20:35

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

Thank you packethunter

Unfortunately I can't provide the pcap but your answer definitively helps

(26 Jan '17, 12:59) JuniperGuy

Presumably when you said "TFTP" you meant "DHCP". I'll fix the answer.

(26 Jan '17, 20:35) Guy Harris ♦♦

How embarrasing.

Please excuse me while I go and hide behind my network cabinet for the rest of the day. And thank you for fixing the answer.

(27 Jan '17, 09:04) packethunter
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×7

question asked: 26 Jan '17, 08:30

question was seen: 5,765 times

last updated: 27 Jan '17, 09:04

p​o​w​e​r​e​d by O​S​Q​A