udp-reflector not works on centos 7 system

[kkkimiko]

I follow below steps to install udp-reflector and hope it could forward the dhcp traffic to my packetfence server, but find the transferred packets are not dhcp packets any more. I compared the sent packets and received packets, and find the packet length was changed after udp-reflector forwarded. Is there any way to fix it ?

For CentOS 7:

# for x86_64
# wget http://inverse.ca/downloads/PacketFence/CentOS7/extra/x86_64/RPMS/udp-reflector-1.0-6.1.x86_64.rpm
Now install the sensor:

# rpm -i udp-reflector-*.rpm
Compiling the sensor from source on a Linux system
First make sure you have the following packages installed:

libpcap

libpcap-devel

gcc-c++

Get the source code of the sensor:

# mkdir -p ~/udp-reflector && cd ~/udp-reflector
# wget http://inverse.ca/downloads/PacketFence/udp-reflector/udp_reflector.cpp
# g++ udp_reflector.cpp -o /usr/local/bin/udp_reflector -lpcap
Configuring the Sensor
Place the following line in /etc/rc.local

where pcap0 is the pcap interface where your DHCP server listens on. (List them using udp_reflector -l)

where 192.168.1.5 is the management IP of your PacketFence server

/usr/local/bin/udp_reflector -s pcap0:67 -d 192.168.1.5:767 -b 25000 &
Start the sensor:

# /usr/local/bin/udp_reflector -s pcap0:67 -d 192.168.1.5:767 -b 25000 &

[julsemaan]

The packet you've shown is not for the same transaction ID so it could be perfectly normal that the length is different.

If you take the same packet/transaction and compare it, you could find where the difference in the packet is if there is one.

Perhaps you think that its not DHCP anymore because wireshark is not showing them as DHCP anymore because the port has been changed but they are still DHCP packets.

[kkkkkky]

No. I can't find any packets have the same transaction ID because every packet is added 2 more bytes after udp-reflector forwarded it. You can refer to below image, the left part is what I got from my traffic mirror port, wireshark can recognize it well. The right part,which was transferred from the source host with traffic mirror port by udp-reflector, is what I got from my pf eth0 port. The data in the right part actually covered the bootp packets from the left part, but there are 2 bytes more than the left. Maybe this is the reason wireshark can't recognize it.

[julsemaan]

Are you able to tell what and where the bytes are added.

And the reason why wireshark isn't recognizing it is just because you need to tell it to decode port 767 as DHCP

If you want, attach your pcap to the issue here and I'll take a look but I'm almost sure I'll be able to decode it and find you the same transaction ID

[kkkkkky]

From the above capture you can see, "00 44 01 50 50 ad" is part of the original udp header, but they become part of udp data in the right part. udp-reflector should reflect original udp packets 1:1, but now it's not. That's why wireshark couldn't recognize it.

[julsemaan]

Seems like you're right actually.

My guess is that this is something related to a library the reflector uses.

I didn't write the reflector, its a fork from https://code.google.com/archive/p/udp-reflector/ which is not maintained anymore from what I can tell.

I would suggest you use Inverse's version of this especially if you want to use it with PacketFence: https://github.com/inverse-inc/packetfence-dhcp-forwarder

I'm likely not going to touch this code since I suspect this issue to require many hours of debugging so using the above repo instead should be better since we'll (Inverse) be more likely to troubleshoot that one

[kkkkkky]

Thank you for your reply. Actually there is no linux based dhcp-forwarder if you have read packetfence admin guide...When it comes to linux dhcp-forwarder, it refers to udp-reflector...

Anyway I asked my honey for help and he has written a tool with the same function as udp-reflector with golang. I just tested and it works well. Thank you all the same. And I recommend this tool if anyone else have the same requirement. ~~ The project addr : https://github.com/0851/pcap-udp-forward