Log DHCP request with Sniffer/Ethreal...

[Malic]

Hello

We are experiencing the following issue with new PCs we have purchased from
IBM. We did not experience the issue with machines before the IBM
thinkcentres we purchased.

Enviornment:
Windows2k AD with Integrated DNS and a seperate member server for DHCP.
Workstations are Windows XP SP1

Issue:
On a warm or cold boot, immediately login and it will not run our kixtart
login script form Domain. After being logged in for 30 seconds to 1 minute
we then get our network connection. Browse internet connec tto email etc...
We have to log off and log back in to reprocess our login script.

Troubleshooting...
This has been going on for over 1 month now. We have explored endless
possibilities...
IBM is tring to say it is our DHCP not giving machines IPs.

I need to log all DHCP traffic. From request to acknowledgement. I was
attempting to use Ethreal to capture the traffic on UDP port 67 andd 68.
But I'm not seeing anything. No source or destination.

How can I capture a detailed log with times and the above information.

Thanks,

 

[Ed Horley]

Set up the spanport on your switch for whatever workstation you want to
capture traffic for. Run Ethereal and do a capture (take everything -
should be that much) and do a display filter (you can just put this in the
bottom filter window):
bootp.dhcp == 1
(that is two ='s, one right after the other)
That will tell you if you have any dhcp traffic on the network or not.

HTH,
Ed Horley

 

[Roger Hunen]

We are experiencing the following issue with new PCs we have purchased from
IBM. We did not experience the issue with machines before the IBM
thinkcentres we purchased.

You may be looking in the wrong place. This may not be IBM thinkcentre related
at all. You may be experiencing this problem simply because you have faster
machines now. Read on...

[snip]

Issue:
On a warm or cold boot, immediately login and it will not run our kixtart
login script form Domain. After being logged in for 30 seconds to 1 minute
we then get our network connection. Browse internet connec tto email etc...
We have to log off and log back in to reprocess our login script.

This sounds _very_ familiar to me...

Assuming that you have a switched network, make sure that workstation ports
go into the forwarding state as soon as link integrity is established. On Cisco
switches the feature you are looking for is called 'portfast'.

Normal spanning tree behavior is to set a port blocking until the spanning tree
protocol has decided that it must be forwarding. This takes 30-40 seconds.
During this time the port blocks all traffic. So DHCP will fail and you cannot
talk to your domain controllers.

For old slow systems, this may not be a problem because the system boot
takes longer than it takes spanning tree to set the switch port forwarding.
New fast machines will complete the boot cycle before the port goes into the
forwarding state and have no network connection for some time.

When configuring portfast, the port goes into the forwarding state immediately
and the spanning tree protocol may switch is back to blocking if there is a good
reason to (no workstation attached but another network switch that is closer to
the spanning tree root).

Alternatively you can swith off spanning tree at workstation ports, but portfast
is much more fool proof.

Good luck,
-Roger

 

[Malic]

WSe have spanning tree turned off. We are running older Baystack 303 10/100
switches and the NIC onboard is 10/100/1000. Our theory is that the driver
is bad and doesns't detect network speed until late in the login. It is
then too late to run login script and the users are logging into the lacally
cached windows xp account.

The onboard nic is intel 10/100/1000 VM

We are experiencing the following issue with new PCs we have purchased
from
IBM. We did not experience the issue with machines before the IBM
thinkcentres we purchased.

You may be looking in the wrong place. This may not be IBM thinkcentre
related
at all. You may be experiencing this problem simply because you have
faster
machines now. Read on...

[snip]

Issue:
On a warm or cold boot, immediately login and it will not run our kixtart
login script form Domain. After being logged in for 30 seconds to 1
minute
we then get our network connection. Browse internet connec tto email
etc...
We have to log off and log back in to reprocess our login script.

This sounds _very_ familiar to me...

Assuming that you have a switched network, make sure that workstation
ports
go into the forwarding state as soon as link integrity is established. On
Cisco
switches the feature you are looking for is called 'portfast'.

Normal spanning tree behavior is to set a port blocking until the spanning
tree
protocol has decided that it must be forwarding. This takes 30-40 seconds.
During this time the port blocks all traffic. So DHCP will fail and you
cannot
talk to your domain controllers.

For old slow systems, this may not be a problem because the system boot
takes longer than it takes spanning tree to set the switch port
forwarding.
New fast machines will complete the boot cycle before the port goes into
the
forwarding state and have no network connection for some time.

When configuring portfast, the port goes into the forwarding state
immediately
and the spanning tree protocol may switch is back to blocking if there is
a good
reason to (no workstation attached but another network switch that is
closer to
the spanning tree root).

Alternatively you can swith off spanning tree at workstation ports, but
portfast
is much more fool proof.

Good luck,
-Roger

 

[Ed Horley]

Malic,
Were you able to get Ethereal working to sniff the port traffic? If so,
what did you find - if not, what was the problem?

Regards,
Ed Horley

WSe have spanning tree turned off. We are running older Baystack 303 10/100
switches and the NIC onboard is 10/100/1000. Our theory is that the driver
is bad and doesns't detect network speed until late in the login. It is
then too late to run login script and the users are logging into the lacally
cached windows xp account.

The onboard nic is intel 10/100/1000 VM

We are experiencing the following issue with new PCs we have purchased
from
IBM. We did not experience the issue with machines before the IBM
thinkcentres we purchased.

You may be looking in the wrong place. This may not be IBM thinkcentre
related
at all. You may be experiencing this problem simply because you have
faster
machines now. Read on...

[snip]

Issue:
On a warm or cold boot, immediately login and it will not run our kixtart
login script form Domain. After being logged in for 30 seconds to 1
minute
we then get our network connection. Browse internet connec tto email
etc...
We have to log off and log back in to reprocess our login script.

This sounds _very_ familiar to me...

Assuming that you have a switched network, make sure that workstation
ports
go into the forwarding state as soon as link integrity is established. On
Cisco
switches the feature you are looking for is called 'portfast'.

Normal spanning tree behavior is to set a port blocking until the spanning
tree
protocol has decided that it must be forwarding. This takes 30-40 seconds.
During this time the port blocks all traffic. So DHCP will fail and you
cannot
talk to your domain controllers.

For old slow systems, this may not be a problem because the system boot
takes longer than it takes spanning tree to set the switch port
forwarding.
New fast machines will complete the boot cycle before the port goes into
the
forwarding state and have no network connection for some time.

When configuring portfast, the port goes into the forwarding state
immediately
and the spanning tree protocol may switch is back to blocking if there is
a good
reason to (no workstation attached but another network switch that is
closer to
the spanning tree root).

Alternatively you can swith off spanning tree at workstation ports, but
portfast
is much more fool proof.

Good luck,
-Roger

 

[Roger Hunen]

We have spanning tree turned off.

Then you cannot possibly have the problem I described.

We are running older Baystack 303 10/100
switches and the NIC onboard is 10/100/1000. Our theory is that the driver
is bad and doesns't detect network speed until late in the login. It is
then too late to run login script and the users are logging into the lacally
cached windows xp account.

You may want to observe the link integrity and link speed lights at both the
workstation and the switch during system startup. Then you know at what
moment link integrity is established and link speed has been negotiated.

I have seen a problem in the past where workstation and switch had problems
negotiating link speed. This resultated in unreliable network connections with
all kinds of problems. This was with a DELL optiplex GX1 and a Cisco 3500
series switch. A newer 3Com NIC driver resolved the problem, so you may
very well be looking in the right direction

Good luck,
-Roger

We are experiencing the following issue with new PCs we have purchased
from
IBM. We did not experience the issue with machines before the IBM
thinkcentres we purchased.

You may be looking in the wrong place. This may not be IBM thinkcentre
related
at all. You may be experiencing this problem simply because you have
faster
machines now. Read on...

[snip]

Issue:
On a warm or cold boot, immediately login and it will not run our kixtart
login script form Domain. After being logged in for 30 seconds to 1
minute
we then get our network connection. Browse internet connec tto email
etc...
We have to log off and log back in to reprocess our login script.

This sounds _very_ familiar to me...

Assuming that you have a switched network, make sure that workstation
ports
go into the forwarding state as soon as link integrity is established. On
Cisco
switches the feature you are looking for is called 'portfast'.

Normal spanning tree behavior is to set a port blocking until the spanning
tree
protocol has decided that it must be forwarding. This takes 30-40 seconds.
During this time the port blocks all traffic. So DHCP will fail and you
cannot
talk to your domain controllers.

For old slow systems, this may not be a problem because the system boot
takes longer than it takes spanning tree to set the switch port
forwarding.
New fast machines will complete the boot cycle before the port goes into
the
forwarding state and have no network connection for some time.

When configuring portfast, the port goes into the forwarding state
immediately
and the spanning tree protocol may switch is back to blocking if there is
a good
reason to (no workstation attached but another network switch that is
closer to
the spanning tree root).

Alternatively you can swith off spanning tree at workstation ports, but
portfast
is much more fool proof.

Good luck,
-Roger

 

[Malic]

Well, as of now, DHCP looks clean. IBM is telling us that intel has
duplicated the problem and is working with microsoft also to fix the issue.

Apparently it is an unusually long dhcp negotiation time. I guess we will
wait and see now.

Malic,
Were you able to get Ethereal working to sniff the port traffic? If so,
what did you find - if not, what was the problem?

Regards,
Ed Horley

WSe have spanning tree turned off. We are running older Baystack 303 10/100
switches and the NIC onboard is 10/100/1000. Our theory is that the driver
is bad and doesns't detect network speed until late in the login. It is
then too late to run login script and the users are logging into the lacally
cached windows xp account.

The onboard nic is intel 10/100/1000 VM

We are experiencing the following issue with new PCs we have purchased
from
IBM. We did not experience the issue with machines before the IBM
thinkcentres we purchased.

You may be looking in the wrong place. This may not be IBM thinkcentre
related
at all. You may be experiencing this problem simply because you have
faster
machines now. Read on...

[snip]

Issue:
On a warm or cold boot, immediately login and it will not run our kixtart
login script form Domain. After being logged in for 30 seconds to 1
minute
we then get our network connection. Browse internet connec tto email
etc...
We have to log off and log back in to reprocess our login script.

This sounds _very_ familiar to me...

Assuming that you have a switched network, make sure that workstation
ports
go into the forwarding state as soon as link integrity is established. On
Cisco
switches the feature you are looking for is called 'portfast'.

Normal spanning tree behavior is to set a port blocking until the spanning
tree
protocol has decided that it must be forwarding. This takes 30-40 seconds.
During this time the port blocks all traffic. So DHCP will fail and you
cannot
talk to your domain controllers.

For old slow systems, this may not be a problem because the system boot
takes longer than it takes spanning tree to set the switch port
forwarding.
New fast machines will complete the boot cycle before the port goes
into
the
forwarding state and have no network connection for some time.

When configuring portfast, the port goes into the forwarding state
immediately
and the spanning tree protocol may switch is back to blocking if there is
a good
reason to (no workstation attached but another network switch that is
closer to
the spanning tree root).

Alternatively you can swith off spanning tree at workstation ports, but
portfast
is much more fool proof.

Good luck,
-Roger