[syslinux] tftpd and broadcast

Geert Stappers stappers at stappers.nl
Mon Sep 4 11:00:35 PDT 2006


On Mon, Sep 04, 2006 at 07:42:54PM +0200, Geert Stappers wrote:
> On Mon, Sep 04, 2006 at 06:11:49PM +0200, Geert Stappers wrote:
   <snip/> 
> > I can confirm that version 0.42 of the HPA tftp daemon
> > does reply to broadcasts.
> 
> Yes, it does reply to broadcasts, but fails on further follow-up.
> 
> Below is what I see with a ethernet sniffer like tcpdump.
> The filter was set on the MAC address of the netbooting Sun UltraSparc5,
> which got it IP-address .15 by RARP from 172.24.0.10.
> At address .26 is the HPA tftp daemon which has the file AC18000F.
> 172.24.0.39 is another tftpd-hpa but hasn't the requested file.
> 
> 
> 19:17:35.232058 rarp who-is 08:00:20:a8:fc:fd tell 08:00:20:a8:fc:fd
> 19:17:35.234442 rarp reply 08:00:20:a8:fc:fd at 172.24.0.15
The RARP reply.

> 19:17:35.237505 IP 172.24.0.15.14671 > 172.24.0.10.69:  17 RRQ "AC18000F" octet 
> 19:17:35.240465 IP 172.24.0.10.3035 > 172.24.0.15.14671: UDP, length 19
.10 says "I don't have the file"

> 19:17:40.239974 arp who-has 172.24.0.15 tell 172.24.0.39
.39 is the same computer as .10  (that is probably why it is asking )

> 19:17:41.239871 arp who-has 172.24.0.15 tell 172.24.0.39
> 19:17:42.239790 arp who-has 172.24.0.15 tell 172.24.0.39
> 19:17:53.294672 IP 172.24.0.15.14671 > 255.255.255.255.69:  17 RRQ "AC18000F" octet 
The broadcast TFTP request.

> 19:17:53.301110 arp reply 172.24.0.15 is-at 08:00:20:a8:fc:fd
> 19:17:53.301156 IP 172.24.0.39.3035 > 172.24.0.15.14671: UDP, length 19
.39 says "I don't have the file"

> 19:17:53.308403 IP 172.24.0.26.33375 > 172.24.0.15.14671: UDP, length 516
> 19:17:54.305522 IP 172.24.0.26.33375 > 172.24.0.15.14671: UDP, length 516
> 19:17:56.305735 IP 172.24.0.26.33375 > 172.24.0.15.14671: UDP, length 516
Three replies from the TFTP server.

> 19:17:58.305811 arp who-has 172.24.0.15 tell 172.24.0.26
.26 wants to keep it's ARP cache up-to-date.

> 19:17:58.324567 IP 172.24.0.15.14671 > 172.24.0.26.33375: UDP, length 4
First Acknowledge from the TFTP client.

> 19:17:58.324688 IP 172.24.0.26 > 172.24.0.15: ICMP 172.24.0.26 udp port 33375 unreachable, length 40
TFTP server tells to TFTP client that he is not listing anymore ...

> 19:17:58.329974 arp reply 172.24.0.15 is-at 08:00:20:a8:fc:fd
> 19:17:58.335506 IP 172.24.0.15.14671 > 172.24.0.26.33375: UDP, length 4
> 19:17:58.335629 IP 172.24.0.26 > 172.24.0.15: ICMP 172.24.0.26 udp port 33375 unreachable, length 40
> 19:17:58.340920 arp reply 172.24.0.15 is-at 08:00:20:a8:fc:fd
> 19:17:58.346284 arp reply 172.24.0.15 is-at 08:00:20:a8:fc:fd
> 19:17:58.351854 IP 172.24.0.15.14671 > 172.24.0.26.33375: UDP, length 4
> 19:17:58.351971 IP 172.24.0.26 > 172.24.0.15: ICMP 172.24.0.26 udp port 33375 unreachable, length 40
> 19:17:59.305915 arp who-has 172.24.0.15 tell 172.24.0.26
> 19:18:00.306049 arp who-has 172.24.0.15 tell 172.24.0.26
> 19:18:00.306207 IP 172.24.0.26.33375 > 172.24.0.15.14671: UDP, length 516
This one is strange, it is another attempt server ...

> 19:18:00.310622 IP 172.24.0.15.14671 > 172.24.0.26.33375: UDP, length 4
> 19:18:00.310733 IP 172.24.0.26 > 172.24.0.15: ICMP 172.24.0.26 udp port 33375 unreachable, length 40
> 19:18:04.325325 IP 172.24.0.15.14671 > 172.24.0.26.33375: UDP, length 4
> 19:18:04.330666 arp reply 172.24.0.15 is-at 08:00:20:a8:fc:fd
> 19:18:04.330790 IP 172.24.0.26 > 172.24.0.15: ICMP 172.24.0.26 udp port 33375 unreachable, length 40
> 19:18:08.307169 IP 172.24.0.26.33375 > 172.24.0.15.14671: UDP, length 516
> 19:18:08.308876 IP 172.24.0.15.14671 > 172.24.0.26.33375: UDP, length 4
> 19:18:08.308996 IP 172.24.0.26 > 172.24.0.15: ICMP 172.24.0.26 udp port 33375 unreachable, length 40
> 19:18:12.318981 IP 172.24.0.15.14671 > 172.24.0.26.33375: UDP, length 4
> 19:18:12.319074 IP 172.24.0.26 > 172.24.0.15: ICMP 172.24.0.26 udp port 33375 unreachable, length 40
> 
> 
> Inline comment in the follow-up message.

Attached the ethersniffed data in libpcap format.


Cheers
Geert Stappers




More information about the Syslinux mailing list