How do I dump DHCP packets under Linux / UNIX for monitoring or debugging purpose?
You can parse DHCP packets using tcpdump and dhcpdump programs. dhcpdump provides a tool for visualization of DHCP packets as recorded and output by tcpdump to analyze DHCP server responses.
ADVERTISEMENTS
Install dhcpdump
Type the following command:
# apt-get install dhcpdump
OR
# yum install dhcpdump
How Do I Use tcpdump To Capture DHCP Output?
Type the command as follows:
# tcpdump -lenx -i eth0 -s 1500 port bootps or port bootpc
Sample outputs:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes 15:40:56.555424 00:19:d1:2a:ba:a8 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:19:d1:2a:ba:a8, length 300 0x0000: 4510 0148 0000 0000 8011 3996 0000 0000 0x0010: ffff ffff 0044 0043 0134 b321 0101 0600 0x0020: ba97 e476 0000 0000 0000 0000 0000 0000 0x0030: 0000 0000 0000 0000 0019 d12a baa8 0000 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 0x0090: 0000 0000 0000 0000 0000 0000 0000 0000 0x00a0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00b0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00c0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00d0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00f0: 0000 0000 0000 0000 0000 0000 0000 0000 0x0100: 0000 0000 0000 0000 6382 5363 3501 0132 0x0110: 04c0 a802 020c 0d76 6976 656b 2d64 6573 0x0120: 6b74 6f70 370d 011c 0203 0f06 770c 2c2f 0x0130: 1a79 2aff 0000 0000 0000 0000 0000 0000 0x0140: 0000 0000 0000 0000 15:41:02.005243 00:19:d1:2a:ba:a8 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:19:d1:2a:ba:a8, length 300 0x0000: 4510 0148 0000 0000 8011 3996 0000 0000 0x0010: ffff ffff 0044 0043 0134 b31b 0101 0600 0x0020: ba97 e476 0006 0000 0000 0000 0000 0000 0x0030: 0000 0000 0000 0000 0019 d12a baa8 0000 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 0x0090: 0000 0000 0000 0000 0000 0000 0000 0000 0x00a0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00b0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00c0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00d0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00f0: 0000 0000 0000 0000 0000 0000 0000 0000 0x0100: 0000 0000 0000 0000 6382 5363 3501 0132 0x0110: 04c0 a802 020c 0d76 6976 656b 2d64 6573 0x0120: 6b74 6f70 370d 011c 0203 0f06 770c 2c2f 0x0130: 1a79 2aff 0000 0000 0000 0000 0000 0000 0x0140: 0000 0000 0000 0000 15:41:02.007532 00:22:41:2f:f4:0a > 00:19:d1:2a:ba:a8, ethertype IPv4 (0x0800), length 342: 192.168.2.1.67 > 192.168.2.2.68: BOOTP/DHCP, Reply, length 300 0x0000: 4500 0148 74c1 0000 ff11 c08f c0a8 0201 0x0010: c0a8 0202 0043 0044 0134 6e61 0201 0600 0x0020: ba97 e476 0000 0000 0000 0000 c0a8 0202 0x0030: c0a8 0201 0000 0000 0019 d12a baa8 0000 0x0040: 0000 0000 0000 0000 5669 7665 6b2d 4769 0x0050: 7465 732d 4d61 6342 6f6f 6b2e 6c6f 6361 0x0060: 6c00 0000 0000 0000 0000 0000 0000 0000 0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 0x0090: 0000 0000 0000 0000 0000 0000 0000 0000 0x00a0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00b0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00c0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00d0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00f0: 0000 0000 0000 0000 0000 0000 0000 0000 0x0100: 0000 0000 0000 0000 6382 5363 3501 0236 0x0110: 04c0 a802 0133 0400 014e 2001 04ff ffff 0x0120: 0003 04c0 a802 0106 04c0 a802 01ff 0000 0x0130: 0000 0000 0000 0000 0000 0000 0000 0000 0x0140: 0000 0000 0000 0000 15:41:02.007682 00:19:d1:2a:ba:a8 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:19:d1:2a:ba:a8, length 300 0x0000: 4510 0148 0000 0000 8011 3996 0000 0000 0x0010: ffff ffff 0044 0043 0134 0323 0101 0600 0x0020: ba97 e476 0006 0000 0000 0000 0000 0000 0x0030: 0000 0000 0000 0000 0019 d12a baa8 0000 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 0x0090: 0000 0000 0000 0000 0000 0000 0000 0000 0x00a0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00b0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00c0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00d0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00f0: 0000 0000 0000 0000 0000 0000 0000 0000 0x0100: 0000 0000 0000 0000 6382 5363 3501 0336 0x0110: 04c0 a802 0132 04c0 a802 020c 0d76 6976 0x0120: 656b 2d64 6573 6b74 6f70 370d 011c 0203 0x0130: 0f06 770c 2c2f 1a79 2aff 0000 0000 0000 0x0140: 0000 0000 0000 0000 15:41:02.085415 00:22:41:2f:f4:0a > 00:19:d1:2a:ba:a8, ethertype IPv4 (0x0800), length 342: 192.168.2.1.67 > 192.168.2.2.68: BOOTP/DHCP, Reply, length 300 0x0000: 4500 0148 74c2 0000 ff11 c08e c0a8 0201 0x0010: c0a8 0202 0043 0044 0134 6b61 0201 0600 0x0020: ba97 e476 0000 0000 0000 0000 c0a8 0202 0x0030: c0a8 0201 0000 0000 0019 d12a baa8 0000 0x0040: 0000 0000 0000 0000 5669 7665 6b2d 4769 0x0050: 7465 732d 4d61 6342 6f6f 6b2e 6c6f 6361 0x0060: 6c00 0000 0000 0000 0000 0000 0000 0000 0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 0x0090: 0000 0000 0000 0000 0000 0000 0000 0000 0x00a0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00b0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00c0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00d0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00f0: 0000 0000 0000 0000 0000 0000 0000 0000 0x0100: 0000 0000 0000 0000 6382 5363 3501 0536 0x0110: 04c0 a802 0133 0400 014e 2001 04ff ffff 0x0120: 0003 04c0 a802 0106 04c0 a802 01ff 0000 0x0130: 0000 0000 0000 0000 0000 0000 0000 0000 0x0140: 0000 0000 0000 0000
Above output is not very useful. So you can use the dhcpdump command as follows:
dhcpdump -i eth0
Sample outputs:
TIME: 2010-05-06 15:42:33.000
IP: 0.0.0.0 (0:19:d1:2a:ba:a8) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)
OP: 1 (BOOTPREQUEST)
HTYPE: 1 (Ethernet)
HLEN: 6
HOPS: 0
XID: e16fef09
SECS: 0
FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: 00:19:d1:2a:ba:a8:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION: 53 ( 1) DHCP message type 3 (DHCPREQUEST)
OPTION: 50 ( 4) Request IP address 192.168.2.2
OPTION: 12 ( 13) Host name vivek-desktop
OPTION: 55 ( 13) Parameter Request List 1 (Subnet mask)
28 (Broadcast address)
2 (Time offset)
3 (Routers)
15 (Domainname)
6 (DNS server)
119 (Domain Search)
12 (Host name)
44 (NetBIOS name server)
47 (NetBIOS scope)
26 (Interface MTU)
121 (Classless Static Route)
42 (NTP servers)
---------------------------------------------------------------------------
TIME: 2010-05-06 15:42:40.003
IP: 0.0.0.0 (0:19:d1:2a:ba:a8) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)
OP: 1 (BOOTPREQUEST)
HTYPE: 1 (Ethernet)
HLEN: 6
HOPS: 0
XID: e16fef09
SECS: 7
FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: 00:19:d1:2a:ba:a8:00:00:00:00:00:00:00:00:00:00
SNAME: .
FNAME: .
OPTION: 53 ( 1) DHCP message type 3 (DHCPREQUEST)
OPTION: 50 ( 4) Request IP address 192.168.2.2
OPTION: 12 ( 13) Host name vivek-desktop
OPTION: 55 ( 13) Parameter Request List 1 (Subnet mask)
28 (Broadcast address)
2 (Time offset)
3 (Routers)
15 (Domainname)
6 (DNS server)
119 (Domain Search)
12 (Host name)
44 (NetBIOS name server)
47 (NetBIOS scope)
26 (Interface MTU)
121 (Classless Static Route)
42 (NTP servers)
---------------------------------------------------------------------------
TIME: 2010-05-06 15:42:40.006
IP: 192.168.2.1 (0:22:41:2f:f4:a) > 192.168.2.2 (0:19:d1:2a:ba:a8)
OP: 2 (BOOTPREPLY)
HTYPE: 1 (Ethernet)
HLEN: 6
HOPS: 0
XID: e16fef09
SECS: 0
FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 192.168.2.2
SIADDR: 192.168.2.1
GIADDR: 0.0.0.0
CHADDR: 00:19:d1:2a:ba:a8:00:00:00:00:00:00:00:00:00:00
SNAME: viveksrouter_devel
FNAME: .
OPTION: 53 ( 1) DHCP message type 5 (DHCPACK)
OPTION: 54 ( 4) Server identifier 192.168.2.1
OPTION: 51 ( 4) IP address leasetime 85536 (23h45m36s)
OPTION: 1 ( 4) Subnet mask 255.255.255.0
OPTION: 3 ( 4) Routers 192.168.2.1
OPTION: 6 ( 4) DNS server 192.168.2.1
---------------------------------------------------------------------------See also:
- Download dhcpdump from the official project website.
- man page tcpdump and dhcpdump
UP NEXT
OpenBSD Command: See PCI Device Information
Ubuntu / Debian Linux: Setup An ISC DHCP Server For Your Network
How to use yum command on CentOS/RHEL
Linux Network IP Accounting
Debian Linux Configure Network Interface Cards - IP address and Netmasks
How to find disk I/O latency with ioping monitoring tool on Linux
Linux Network Statistics Tools / Commands
Very nice tip!
Especially to filter data via shell scripts, it can be very useful.
Thanks!
Very Very usefull … Thanks .. you save my life …
Useful legacy tcpdump options examples:
1.Broadcast DHCP packet in L2 network from host, filtered by host MAC:
tcpdump -nnvXSs 0 port bootps or port bootpc and ether host 00:19:d1:2a:ba:a82.Unicast DHCP packet through L3 router (used with DHCP Relay/IP-helper), filtered by Client MAC in BOOTP Header, must be used last 4 bytes of MAC:
tcpdump -nnvXSs 0 -i eth0 '((port 67 or port 68) and (udp[38:4] = 0xd12abaa8))'Example of output:
15:43:37.509861 IP (tos 0x10, ttl 64, id 0, offset 0, flags [none], proto 17, length: 361) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:19:d1:2a:ba:a8, length: 333, xid:0x79bd7422, flags: [none] Client Ethernet Address: 00:19:d1:2a:ba:a8 Vendor-rfc1048: DHCP:DISCOVER PR:SM+TZ+DG+NS+LOG+HN+DN+MTU+BR+NTP+VO+RQ+LT (SM-subnet mask, DG - default gateway, NS - name server, ...) VC:"1332" CID:"^F^@M-PPEM-a." Option 82 is also visible (not pasted here) in listing in both formats - HEX and ASCII. 15:43:38.510594 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto 17, length: 381) 192.168.20.40.67 > 192.168.20.196.68: BOOTP/DHCP, Reply, length: 353, xid:0x79bd7422, flags: [none] Your IP: 192.168.20.196 Server IP: 192.168.20.40 Client Ethernet Address: 00:19:d1:2a:ba:a8 sname "192.168.20.40" Vendor-rfc1048: DHCP:OFFER SID:192.168.20.40 LT:3600 SM:255.255.255.0 DG:192.168.20.1 NS:192.168.20.40 HN:"http://192.168.20.34" DN:"somedomain.com" NTP:192.168.20.40