Skip to content
Sign in Get started
DHCP Shield Pro DHCP Shield Pro

Glossary

Definitions of terms used throughout this manual.

A

Section titled “A”

Action — An enforcement decision applied to a device: Block, Deny, Throttle, Allow, or Monitor.

Allow — An action that whitelists a device, exempting it from automated blocks.

Analysis — The process of examining DHCP traffic patterns using an LLM to identify anomalies.

Automation Rule — A scheduled detection rule that queries aggregated data and triggers actions when thresholds are exceeded.

B

Section titled “B”

Baseline — The normal traffic pattern for a device or network, used as a reference for anomaly detection.

Block — A temporary action that drops all DHCP traffic from a device.

Burst — A brief period where traffic can exceed the normal rate limit.

C

Section titled “C”

chaddr — Client Hardware Address; the MAC address field in DHCPv4 packets.

ClickHouse — The column-oriented database used by DHCP DPI for storing events.

CIDR — Classless Inter-Domain Routing; notation for IP address ranges (e.g., 10.0.0.0/24).

Client Identifier — A unique identifier for a DHCP client (Option 61 in v4, DUID in v6).

D

Section titled “D”

Dashboard — The main monitoring interface with configurable widgets.

Deny — A permanent blocking action with no automatic expiration.

DHCP — Dynamic Host Configuration Protocol; a protocol for automatically assigning IP addresses.

DHCPv4 — DHCP for IPv4 networks, using UDP ports 67/68.

DHCPv6 — DHCP for IPv6 networks, using UDP ports 546/547.

DISCOVER — A DHCPv4 message sent by clients to find available servers.

DORA — The DHCPv4 exchange sequence: Discover, Offer, Request, Ack.

DUID — DHCP Unique Identifier; a unique identifier for DHCPv6 clients.

E

Section titled “E”

Event — A single DHCP packet processed by the system.

Execution History — A log of automation rule runs and their results.

F

Section titled “F”

False Positive — A normal device incorrectly flagged as suspicious.

Filter — Criteria used to narrow down displayed or processed data.

Firewall Decision — An active enforcement action on a device.

Flooding — An attack or misconfiguration causing excessive DHCP requests.

G

Section titled “G”

GUI — Graphical User Interface; the web-based management console.

H

Section titled “H”

Hostname — The name requested by a DHCP client (Option 12 in v4, FQDN in v6).

I

Section titled “I”

IA — Identity Association; DHCPv6 concept linking addresses to clients.

IA_NA — Identity Association for Non-temporary Addresses.

IA_PD — Identity Association for Prefix Delegation.

K

Section titled “K”

KPI — Key Performance Indicator; metrics tracked in reports and analysis.

L

Section titled “L”

Lease — The temporary assignment of an IP address to a client.

LLM — Large Language Model; the AI technology used for traffic analysis.

Lookback Interval — How far back an automation rule checks when evaluating thresholds.

M

Section titled “M”

MAC Address — Media Access Control address; a unique hardware identifier.

Mark — A 32-bit value assigned to packets for classification and enforcement. The high byte encodes the DHCP message type; the low 24 bits are derived from the last 3 bytes of the client MAC.

MFA — Multi-Factor Authentication; requiring additional verification beyond password.

Monitor — An action that enables enhanced logging for a device without blocking.

N

Section titled “N”

NAK — Negative Acknowledgment; a DHCP server rejection message.

NFQueue — Linux kernel mechanism for userspace packet processing.

NFTables — Linux kernel firewall framework used for traffic enforcement.

NOC — Network Operations Center; a centralised monitoring facility.

O

Section titled “O”

OAuth2 — An authorization protocol for external authentication.

OIDC — OpenID Connect; an authentication layer on top of OAuth2.

Option — Additional data fields in DHCP messages (e.g., Option 12 for hostname).

Option 82 — Relay Agent Information Option in DHCPv4.

OUI — Organizationally Unique Identifier; the first 3 bytes of a MAC address identifying the manufacturer.

P

Section titled “P”

Pattern — A regular expression used for matching DHCP fields.

Priority — A value (1–100) determining automation rule evaluation order.

Prompt — A template defining how data is presented to the LLM for analysis.

Q

Section titled “Q”

Queue — The NFQueue buffer holding packets awaiting processing.

R

Section titled “R”

Relay Agent — A device that forwards DHCP messages between networks.

Risk Score — A 0.0–1.0 value indicating the assessed threat level of a device.

Role — A permission level assigned to users (Admin, Operator, Viewer).

Rule — A pattern-matching definition for classifying traffic.

S

Section titled “S”

SARR — The DHCPv6 exchange sequence: Solicit, Advertise, Request, Reply.

Set — An NFTables data structure holding marks or addresses for matching.

SOLICIT — A DHCPv6 message sent by clients to find available servers.

T

Section titled “T”

Threshold — A numeric limit that triggers an automation rule when exceeded.

Throttle — An action that rate-limits DHCP requests from a device.

Timeline — A visualisation of device activity over time.

TOTP — Time-based One-Time Password; the algorithm used for MFA codes.

Transaction ID — A unique identifier for a DHCP exchange (XID in v4).

U

Section titled “U”

Unique IPs — The count of different IP addresses assigned to a device.

V

Section titled “V”

Vendor Class — An identifier indicating the device type or manufacturer (Option 60 in v4).

Verdict — The decision returned to NFQueue: accept, drop, or modify.

W

Section titled “W”

WebSocket — A protocol providing real-time bidirectional communication.

Widget — A configurable component on the dashboard displaying specific data.

X

Section titled “X”

XID — Transaction Identifier; a 32-bit random value in DHCPv4 messages.