UEFI-PXE-Boot (Asus t100 Tablet)

george1421

@Sebastian-Roth I agree here. The image below with starting ipxv4 indicates that the firmware IS seeing that the network interface is pxe bootable (otherwise no boot option). And it is attempting to init it. I would go the tcpdump route if the FOG server and target computer is on the same subnet/broadcast domain.

with this command tcpdump -w output.pcap port 67 or port 68 that would be executed on your FOG server and then attempt to boot the target computer. Stop the tcpdump program after your target computer errors out. Then upload the pcap file here.

K.Hays

@george1421 said in UEFI-PXE-Boot (Asus t100 Tablet):

tcpdump -w output.pcap port 67 or port 68

When i run this command i get “tcpdump: no suitable device found”
Tcpdump is installed, and i can run it with just the tcpdump command, but this specific line is not working.

Quazz

@K.Hays try

sudo tcpdump -w issue.pcap -i eth0

(make sure the interface is specified correctly there)

george1421

@Quazz just for clarity you also need the filter part in addition to the interface selection.

K.Hays

@Quazz Thanks, i rebooted and was able to run the previous command.

Quazz

@george1421 You can, but you could also filter afterwards so it doesn’t matter much imo.

george1421

@Quazz said in UEFI-PXE-Boot (Asus t100 Tablet):

@george1421 You can, but you could also filter afterwards so it doesn’t matter much imo.

The issue is without the filter part you will collect all broadcast traffic as well as unicast traffic to the device where you run tcpdump. This maybe too much to filter through (i.e. looking for a needle in the haystack). Also by only capturing the specific traffic there is little concern about other traffic leaking private info out if the pcap file is posted here.

Just for clarity the command should be this

sudo tcpdump -w issue.pcap -i eth0 port 67 or port 68

Depending on the flavor of linux you are running you may need the sudo command (which now that I think about it could have been the root cause of the interface not being found).

Wayne Workman

@K.Hays Please try to re-upload… wireshark is saying it’s damaged/corrupt.

george1421

@K.Hays Just so I’m looking at the correct dhcp request (I think I see it already) what is the mac address of this device?

If its the one I think I see it is a uefi device with a IE32 arch.

Also can you confirm that your dhcp server has an 10.40.0.x IP address?

K.Hays

@george1421 Would you need the mac address of the adapter or the tablet itself?
The mac adress of the adapter would be 9c:eb:e8:2b:7c:b1
Also the dhcp server does not have a 10.40.0.x address. it would be 10.100.0.x

george1421

@K.Hays OK that is the mac address of what I’m seeing.

What I see in your pcap file is the tablet asking for dhcp stuff but your dhcp server never responds. I do see other clients sending informs (dhcp client saying hello i’m here but nothing from your dhcp server.)

OK then that explains why the pcap is missing the dhcp server responses. You have the dhcp server on a different subnet, so then your router must have a dhcp-relay service running. If this is the case the responses from the dhcp server will be unicast on the client side.

K.Hays

This post is deleted!

george1421

@K.Hays ok I see the same results in this pcap file.

You have an unfortunate situation here.

Because of the way a switched network works the fog server (packet capture device) will never see unicast communication that its not directly involved with. So what you must do is insert the packet capture device in the data path between the two unicast devices.

Its not as complicated as it sounds, if you switch has a port mirroring capabilities then you can mirror the traffic going to your router interface on the client subnet to the network interface where your packet capture device is running. The port mirroring will echo all traffic going into and out of the link that goes to your router to the packet capture device. I feel this is more complicated of a setup than you are ready for. But if you can do this, then use wireshark to capture this traffic into a pcap file.

Another solution is to move this device to the same subnet as your dhcp server (for debugging purposes only), as well as setup wireshark on a laptop (or what ever) and capture the dhcp broadcast traffic from there. You won’t get the tftp stuff, but I think the error so far is on the dhcp side.

K.Hays

@george1421 The client and the fog server are on the same switch, different ports. The dhcp is on the other side of the network. Were talking about what to do next, just thought this may be valuable information. We are also looking for any dhcp settings that may need to be switched to accommodate for a uefi device.

george1421

@K.Hays The key will be to get the dhcp server, booting client and packet capture device into the same broadcast domain (subnet). To get a clean capture. This will avoid having to mess with switch configuration for port mirroring.

Also for clarity, your dhcp server is a microsoft dhcp server? If its a 2012 dhcp server we have a few more options when dealing with bios and uefi clients. Typically the dhcp server should just hand out dhcp addresses unless you are doing something already for bios and uefi clients. In that case this device is a IA32 device where most computers are x64 which has a different arch ID.

Sebastian Roth

Why do we see so many malformed packets in the dump file. Never seen this before!! The issue with Windows DHCP server is that it does not broadcast the DHCP answers (if I remember correctly). So we will see the DHCP discovery packets from the client but not the answers.

@K-Hays Would you be able to install wireshark on that DHCP server? Then open it up, start capturing, put bootp || tftp as display filter and boot up your client. When you see the error stop wireshark. Then export only the packets that are seen by the display filter (there is an option in the export dialog. Other than that there are only more complicated ways of getting the information. One would be to use a hub (instead of a switch) to connect the client to the rest of the network. On every port of that hub you can capture the client’s network traffic using another computer using wireshark again.

george1421

@Sebastian-Roth said:

Why do we see so many malformed packets in the dump file. Never seen this before!! The issue with Windows DHCP server is that it does not broadcast the DHCP answers (if I remember correctly).

I was wondering when Mr. PCAP was going to wake up and join in.

If I remember correctly on how a dhcp-relay works, is that on the return trip sending stuff from the dhcp server to the client on another subnet it uses unicast messages and not broadcast (or it uses a directed broadcast which is similar to a unicast).

Sebastian Roth

@george1421 said in UEFI-PXE-Boot (Asus t100 Tablet):

I was wondering when Mr. PCAP was going to wake up and join in.

Well… I am sorry but I get paid now for doing same kind of debugging stuff at my new job. Trying to keep up with the forums but it’s not easy!

I think I missed the part about dhcp helpers and subnets. I don’t see different subnets in the packet dump?!? Beside that I think it depends on the relay being used. If I remember correctly we had always broadcasts when using ISC-DHCP-RELAY in our network back at the old working place.

george1421

@Sebastian-Roth yeah it was a bit buried in the text.

k.hayes posted: Also the dhcp server does not have a 10.40.0.x address. it would be 10.100.0.x

This tells me that the dhcp server is some place else and they must have two or more subnets and to have a single dhcp server they must be using a dhcp-relay / helper service. It was a bunch of reading the tea leaves here, but tha tis how I came up with my conclusion.

K.Hays

@george1421 We have a Dhcp relay, and a total of 5 different subnets. The dhcp is also running Microsoft server 2008. We may try to bring the client pc and the capture device to the Dhcp on Friday.