Hi Jim, I think, if I recall correctly, that DISCOVER are not logged by the legal log. I think if you supply a customized response-parser-format, you'll see the option 82 from the OFFER logged.
Thank you, Darren Ankney On Tue, Jan 28, 2025 at 4:51 PM Jim Springsteen <jim.springst...@southslope.com> wrote: > > After looking at the capture that is attached, I see that the information > that I need logged is coming in as Option 82 suboption 9 (vendor information) > > I did add a request-parser-format line ( see that below): > > "request-parser-format": "hexstring(pkt4.mac, ':') + ' / ' + > addrtotext(pkt4.ciaddr) + ' / ' + relay4[1].hex + ' / ' + > addrtotext(pkt4.giaddr)" > > With this I was able to get the info in the forensics log, but the discover > comes across like this in the log: > > 2025-01-28 15:36:37 CST / 80:e8:2c:b0:fd:67 / 0.0.0.0 / / 198.49.62.1 > > I don't see the info until I do a renewal of the dhcp client, then I see this: > > 2025-01-28 15:48:11 CST 80:e8:2c:b0:fd:67 / 67.55.241.229 / > NLCOTest-E7-LAB:1/2/1/CXNK0029E3A6/g2 / 0.0.0.0 > 2025-01-28 15:48:12 CST 80:e8:2c:b0:fd:67 / 67.55.241.229 / > NLCOTest-E7-LAB:1/2/1/CXNK0029E3A6/g2 / 0.0.0.0 > 2025-01-28 15:48:13 CST 80:e8:2c:b0:fd:67 / 67.55.241.229 / > NLCOTest-E7-LAB:1/2/1/CXNK0029E3A6/g2 / 0.0.0.0 > 2025-01-28 15:48:16 CST 80:e8:2c:b0:fd:67 / 67.55.241.229 / / 198.49.62.1 > > Thanks, > Jim Springsteen > Data Administrator > > jim.springst...@southslope.com | southslope.com > 319-626-2211 main | 319-665-5334 direct > 980 North Front St, North Liberty, IA 52317 > > > > -----Original Message----- > From: Kea-users <kea-users-boun...@lists.isc.org> On Behalf Of > kea-users-requ...@lists.isc.org > Sent: Friday, January 24, 2025 5:08 AM > To: kea-users@lists.isc.org > Subject: Kea-users Digest, Vol 127, Issue 21 > > Send Kea-users mailing list submissions to > kea-users@lists.isc.org > > To subscribe or unsubscribe via the World Wide Web, visit > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mailman_listinfo_kea-2Dusers&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmipC9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=p5ZWTGAj__nVQKLyURuyGtKss_U7SA-BwTIBCChQmLU&e= > or, via email, send a message with subject or body 'help' to > kea-users-requ...@lists.isc.org > > You can reach the person managing the list at > kea-users-ow...@lists.isc.org > > When replying, please edit your Subject line so it is more specific than "Re: > Contents of Kea-users digest..." > > > Today's Topics: > > 1. Re: Kea DHCP forensic logging (Darren Ankney) > 2. Option 125 suboption 1 not send (DDFR | Ronald Blaas) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 23 Jan 2025 13:27:59 -0500 > From: Darren Ankney > <https://urldefense.proofpoint.com/v2/url?u=http-3A__darren.ankney-40gmail.com&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmipC9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=vEWhZwXUHXKIXNAjOUG6E06cItvpVJoio5lABUSumNU&e=> > To: "Kea user's list" <kea-users@lists.isc.org> > Subject: Re: [Kea-users] Kea DHCP forensic logging > Message-ID: > <cakabwhgxhf8kytqqziheo+evxwtxz8zdnik1ks6-qgy_r7c...@mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > Hi Jim, > > Could you provide a .pcap file showing the DORA exchange from some client > that contains this option 82 data? I would like to see what is > different. It should look something like this: > > 2025-01-23 17:58:28 UTC Address: 192.168.20.113 has been assigned for > 8 hrs 0 mins 0 secs to a device with hardware address: hwtype=1 > d2:4d:e0:33:23:dc connected via relay at address: 192.168.20.1, identified by > circuit-id: 69:67:63:30:2e:32:30 (igc0.20), context: { > "ISC": { "relay-agent-info": { "sub-options": "0x0107696763302E3230" } } } > > Note that the ASCII of the circuit-id is shown in parenthesis following the > hex circuit-id > > It is possible that yours is encoded differently? You might need to make a > custom "request-parser-format", "response-parser-format", or both (see here: > https://urldefense.proofpoint.com/v2/url?u=https-3A__kea.readthedocs.io_en_kea-2D2.6.1_arm_hooks.html-23configuring-2Dthe-2Dforensic-2Dlogging-2Dhooks&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmipC9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=fiZM9XONPkioFDSDe1YuxvJJADWPJ6ikYq7Nt3tAmf0&e=). > These use the same expression syntax as client-classification (see > here: > https://urldefense.proofpoint.com/v2/url?u=https-3A__kea.readthedocs.io_en_kea-2D2.6.1_arm_classify.html-23using-2Dexpressions-2Din-2Dclassification&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmipC9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=1xgvaNG7WfQPzwrwuilI9TMwpDJnkWYZN7QFf-CTRww&e=). > > Thank you, > Darren Ankney > > > On Tue, Jan 21, 2025 at 4:34?PM Jim Springsteen > <jim.springst...@southslope.com> wrote: > > > > Darren, > > > > > > > > I appreciate your response. I did follow the example and this is what I > > have in my config: > > > > "hooks-libraries": [ > > > > { > > > > "library": > > "/usr/lib/x86_64-linux-gnu/kea/hooks/libdhcp_legal_log.so", > > > > "parameters": { > > > > "path": "/var/log/kea", > > > > "base-name": "kea-forensic4" > > > > } > > > > }, > > > > But in my kea-forensic4 log, I have this entry: > > > > ?identified by circuit-id: 00:04:00:00:00:06 and remote-id: > > 00:06:ac:3a:67:d6:de:f2? > > > > > > > > I have confirmed via tcpdump that the server is receiving a string of > > characters as the circuit ID from my access gear. > > > > > > > > I am not sure what I am missing. > > > > > > > > Thanks, > > > > Jim Springsteen > > > > Data Administrator > > > > > > > > jim.springst...@southslope.com | southslope.com > > > > 319-626-2211 main | 319-665-5334 direct > > > > 980 North Front St, North Liberty, IA 52317 > > > > > > > > > > -- > > ISC funds the development of this software with paid support subscriptions. > > Contact us at > > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.isc.org_contact_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmipC9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=bNr6vqQGNhS23OADO6UoVMTdGDV8ySW97vc_LF9cSOE&e= > > for more information. > > > > To unsubscribe visit > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mailman_listinfo_kea-2Dusers&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmipC9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=p5ZWTGAj__nVQKLyURuyGtKss_U7SA-BwTIBCChQmLU&e=. > > > > Kea-users mailing list > > Kea-users@lists.isc.org > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mai > > lman_listinfo_kea-2Dusers&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_C > > dpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmip > > C9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=p5ZWTGAj__nVQK > > LyURuyGtKss_U7SA-BwTIBCChQmLU&e= > > > ------------------------------ > > Message: 2 > Date: Fri, 24 Jan 2025 11:07:59 +0000 > From: DDFR | Ronald Blaas > <https://urldefense.proofpoint.com/v2/url?u=http-3A__ronald.blaas-40ddfr.nl&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmipC9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=buRwe0me-1ijUorvnGd-aaSqpAEEA2hn-EQWqasHrVw&e=> > To: "kea-users@lists.isc.org" <kea-users@lists.isc.org> > Subject: [Kea-users] Option 125 suboption 1 not send > Message-ID: > > <am9pr04mb858585936b5e37857be75e558b...@am9pr04mb8585.eurprd04.prod.outlook.com> > > Content-Type: text/plain; charset="iso-8859-1" > > Hi all > > I must be forgetting something.. > > I have 2 type of Genexis CPEs the 2410 and the 3410 > > Configuring option125 sub 2 and 4 for the Genexis 3410 are working as planned > > But somehow I can't get the option125 sub1 working for the Genexis 2410 > > Looking at a Wireshark I see that option125 isn't even sent to the client > Looking in the kea dhcp log I do see that the client is a member of the > correct client-class. > > > I might be overlooking something. > > Anyone an idea? > > Relative config below: > (kea-dhcp.conf) > "option-def": [ > { > "array": false, > "code": 1, > "name": "gaps", > "space": "vendor-25167", > "type": "string" > }, > ...... > > "client-classes": [ > { > "name": "Genexis-Gaps", > "test": "(substring(option[60].hex,0,6) == 'geneos')", > "option-data": [ > { > "name": "gaps", > "space": "vendor-25167", > "data": "s=xx.xx.xx.xx;v=108", > "always-send": true > } > ] > }, > > > Regards, > > Ronald > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_pipermail_kea-2Dusers_attachments_20250124_0bdd0696_attachment.htm&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmipC9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=ofKALBkbB4lInxE-pksibp_x11PCmcEStej-7XgAT7w&e=> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > > ISC funds the development of this software with paid support subscriptions. > Contact us at > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.isc.org_contact_&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmipC9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=bNr6vqQGNhS23OADO6UoVMTdGDV8ySW97vc_LF9cSOE&e= > for more information. > > Kea-users mailing list > Kea-users@lists.isc.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mailman_listinfo_kea-2Dusers&d=DwICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=eCjTemB5sg6isrvXubUeohlcjyd3d-BSpS2k69PYabI&m=nNs75CJrmipC9uj3o92Bphlar4j-AjnDtrIvexnKk8e9RtceaxgN3Ek5NJwFKjc_&s=p5ZWTGAj__nVQKLyURuyGtKss_U7SA-BwTIBCChQmLU&e= > > > ------------------------------ > > End of Kea-users Digest, Vol 127, Issue 21 > ****************************************** > > ---------- > > This email has been scanned for spam and viruses. Visit the following link to > report this email as spam: > https://moduscloud.cloud-protect.net/app/report_spam.php?mod_id=11&mod_option=logitem&report=1&type=easyspam&k=k1&payload=53616c7465645f5fe7b87a4130921b2e4070c1a0169470d5fdd4e2c864dc2655a39f2689c4ec6bc299460cb291b5b3418e6024294c0b2741576d2f0eeb34f753140c3058b3de2062c8c1d13aa950af78034417c8dbe93d87d965e0a027e790ba36e8b5d2130353f2c06b7d4661ffd75c97677e48532ee2fe9c5ef3ab57926b21a6bcfebe2a66f7149a113b6751670b140104d25b87a974c19a5621249ad1ff5e > > [EXTERNAL EMAIL] DO NOT CLICK links or attachments unless you recognize the > sender and know the content is safe. > -- > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. > > Kea-users mailing list > Kea-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/kea-users -- ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. To unsubscribe visit https://lists.isc.org/mailman/listinfo/kea-users. Kea-users mailing list Kea-users@lists.isc.org https://lists.isc.org/mailman/listinfo/kea-users
