Request: Fixing missing DHCP ID on all packets

Jotne · April 18, 2019, 7:02am

I do use Splunk to graph DHCP request. To get all info I need I use Debug for DHCP packet. This gives me information that I need, but its hard to put it together. This is due to that there may be more than one request at nearly the same seconds. If this happens, may Splunk transaction may mix packets from one request with another.

MikroTik has already added a log ID to every DHCP request, but only sends it out from some of the packet. Take a look at this request.

2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     Domain-Server = 10.10.10.1
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     Router = 10.10.10.1
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     Subnet-Mask = 255.255.254.0
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     Address-Time = 86400
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     Server-Id = 10.10.10.1
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     Msg-Type = ack
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     chaddr = C0:E8:62:1B:F1:77
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     siaddr = 10.10.10.1
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     yiaddr = 10.10.10.142
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     ciaddr = 0.0.0.0
2019-04-15 14:38:01	dhcp,debug,packet MikroTik: DHCP-vlan1-Home sending ack with id 3432339870 to 10.10.10.142
2019-04-15 14:38:01	dhcp,info MikroTik: DHCP-vlan1-Home assigned 10.10.10.142 to C0:E8:62:1B:F1:77
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     Host-Name = "iPhone"
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     Server-Id = 10.10.10.1
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     Address-Request = 10.10.10.142
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     Client-Id = 01-C0-E8-62-1B-F1-77
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     Max-DHCP-Message-Size = 1500
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     Parameter-List = Subnet-Mask,Classless-Route,Router,Domain-Server,Domain-Name,Domain-Search,Auto-Proxy-Config
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     Msg-Type = request
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     chaddr = C0:E8:62:1B:F1:77
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     ciaddr = 0.0.0.0
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:     secs = 2
2019-04-15 14:38:01	dhcp,debug,packet MikroTik: DHCP-vlan1-Home received request with id 3432339870 from 0.0.0.0
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:     Domain-Server = 10.10.10.1
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:     Router = 10.10.10.1
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:     Subnet-Mask = 255.255.254.0
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:     Address-Time = 86400
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:     Server-Id = 10.10.10.1
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:     Msg-Type = offer
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:     chaddr = C0:E8:62:1B:F1:77
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:     siaddr = 10.10.10.1
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:     yiaddr = 10.10.10.142
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:     ciaddr = 0.0.0.0
2019-04-15 14:38:00	dhcp,debug,packet MikroTik: DHCP-vlan1-Home sending offer with id 3432339870 to 10.10.10.142

You can see that id 3432339870 are used on only some of the message, I need it on all.
So a suggestion to the log wold be some like this:

2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    Domain-Server = 10.10.10.1
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    Router = 10.10.10.1
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    Subnet-Mask = 255.255.254.0
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    Address-Time = 86400
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    Server-Id = 10.10.10.1
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    Msg-Type = ack
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    chaddr = C0:E8:62:1B:F1:77
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    siaddr = 10.10.10.1
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    yiaddr = 10.10.10.142
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    ciaddr = 0.0.0.0
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    DHCP-vlan1-Home sending ack to 10.10.10.142
2019-04-15 14:38:01	dhcp,info MikroTik:  id = 3432339870, DHCP-vlan1-Home assigned 10.10.10.142 to C0:E8:62:1B:F1:77
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    Host-Name = "iPhone"
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    Server-Id = 10.10.10.1
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    Address-Request = 10.10.10.142
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    Client-Id = 01-C0-E8-62-1B-F1-77
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    Max-DHCP-Message-Size = 1500
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    Parameter-List = Subnet-Mask,Classless-Route,Router,Domain-Server,Domain-Name,Domain-Search,Auto-Proxy-Config
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    Msg-Type = request
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    chaddr = C0:E8:62:1B:F1:77
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    ciaddr = 0.0.0.0
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    secs = 2
2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    DHCP-vlan1-Home received request from 0.0.0.0
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:  id = 3432339870,    Domain-Server = 10.10.10.1
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:  id = 3432339870,    Router = 10.10.10.1
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:  id = 3432339870,    Subnet-Mask = 255.255.254.0
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:  id = 3432339870,    Address-Time = 86400
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:  id = 3432339870,    Server-Id = 10.10.10.1
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:  id = 3432339870,    Msg-Type = offer
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:  id = 3432339870,    chaddr = C0:E8:62:1B:F1:77
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:  id = 3432339870,    siaddr = 10.10.10.1
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:  id = 3432339870,    yiaddr = 10.10.10.142
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:  id = 3432339870,    ciaddr = 0.0.0.0
2019-04-15 14:38:00	dhcp,debug,packet MikroTik:  id = 3432339870,    DHCP-vlan1-Home sending offer to 10.10.10.142

PS I do use Debug since I do like the hostname that is used for requesting an IP. If MT would change hostname to normal log, I could save logging space by dropping debug, so change:

2019-04-15 14:38:01	dhcp,debug,packet MikroTik:  id = 3432339870,    Host-Name = "iPhone"

to

2019-04-15 14:38:01	dhcp,info MikroTik:  id = 3432339870,    Host-Name = "iPhone"