12-12-2017 07:08 AM
I was looking at anomaly detection on our DHCP servers using the sourcetype=ib:dhcp:message. I noticed that the rate sums of all traffic I was coming up with were around double what I expected. This was exaggerating some of the peaks and valleys. I it appears that the “si-search-dhcp-message” task is counting some of the IPV4 messages as IPV6 messages. If you are only interested in V4 DHCP and ignore the V6 totals in this summary, then you are OK. But if you have V6 traffic, you need to subtract the V4 Traffic totals from the V6 totals to get a good picture.
This is an event from a box that is only getting V4 traffic. I validated with a lengthy packet capture and I’m seeing no V6 DHCP at all. Also, the totals always exactly match between the V4 and V6 events so I’m fairly certain that the V4 Traffic is just being added to the V6 totals.
I looked at the si-search-dhcp-message task and it will take a bit to sort out why it’s not matching on the protocol correctly. If anyone else has figured out where the error is, let me know.