[Dshield] Port :6666 question

Johannes B. Ullrich jullrich at euclidian.com
Wed Jul 25 20:02:27 GMT 2001

This is a DHCP client trying to find a DHCP server to have an IP address
assigned. It's regular traffic you would expect on any DHCP managed
network. Most operating systems use DHCP by default if they have no
static IP assigned to them. The overall handshake looks like this:

1. System boots. It has no IP address at this point (
2. System sends a request for an IP address from port 68 (DHCP Client)
   to everyone's port 67 ( is the 'broadcast' address
   and goes to everyone on the local network.)
3. DHCP server responds. (the client will take the first one that

On Wed, 25 Jul 2001, Paul Marsh wrote:

> I read Ryan J Betz idea on blocking out bound :6666-:6668 traffic to see
> what would be captured by my firewall.  Well hopefully someone can tell me
> what this traffic means.
> Source  Destination
> I'm taking a guess that this is something broadcasting out for any response.
> I'd like to hunt this thing down, con some one point me in the right
> direction.
> Thanx, Paul
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield

jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection System

More information about the list mailing list