dhcpdump: Monitor DHCP Traffic For Debugging Purpose

How do I dump DHCP packets under Linux / UNIX for monitoring or debugging purpose?

You can parse DHCP packets using tcpdump and dhcpdump programs. dhcpdump provides a tool for visualization of DHCP packets as recorded and output by tcpdump to analyze DHCP server responses.

Install dhcpdump

Type the following command:
# apt-get install dhcpdump
OR
# yum install dhcpdump

How Do I Use tcpdump To Capture DHCP Output?

Type the command as follows:
# tcpdump -lenx -i eth0 -s 1500 port bootps or port bootpc
Sample outputs:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
15:40:56.555424 00:19:d1:2a:ba:a8 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:19:d1:2a:ba:a8, length 300
	0x0000:  4510 0148 0000 0000 8011 3996 0000 0000
	0x0010:  ffff ffff 0044 0043 0134 b321 0101 0600
	0x0020:  ba97 e476 0000 0000 0000 0000 0000 0000
	0x0030:  0000 0000 0000 0000 0019 d12a baa8 0000
	0x0040:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0050:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0060:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0070:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0080:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0090:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0100:  0000 0000 0000 0000 6382 5363 3501 0132
	0x0110:  04c0 a802 020c 0d76 6976 656b 2d64 6573
	0x0120:  6b74 6f70 370d 011c 0203 0f06 770c 2c2f
	0x0130:  1a79 2aff 0000 0000 0000 0000 0000 0000
	0x0140:  0000 0000 0000 0000
15:41:02.005243 00:19:d1:2a:ba:a8 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:19:d1:2a:ba:a8, length 300
	0x0000:  4510 0148 0000 0000 8011 3996 0000 0000
	0x0010:  ffff ffff 0044 0043 0134 b31b 0101 0600
	0x0020:  ba97 e476 0006 0000 0000 0000 0000 0000
	0x0030:  0000 0000 0000 0000 0019 d12a baa8 0000
	0x0040:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0050:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0060:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0070:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0080:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0090:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0100:  0000 0000 0000 0000 6382 5363 3501 0132
	0x0110:  04c0 a802 020c 0d76 6976 656b 2d64 6573
	0x0120:  6b74 6f70 370d 011c 0203 0f06 770c 2c2f
	0x0130:  1a79 2aff 0000 0000 0000 0000 0000 0000
	0x0140:  0000 0000 0000 0000
15:41:02.007532 00:22:41:2f:f4:0a > 00:19:d1:2a:ba:a8, ethertype IPv4 (0x0800), length 342: 192.168.2.1.67 > 192.168.2.2.68: BOOTP/DHCP, Reply, length 300
	0x0000:  4500 0148 74c1 0000 ff11 c08f c0a8 0201
	0x0010:  c0a8 0202 0043 0044 0134 6e61 0201 0600
	0x0020:  ba97 e476 0000 0000 0000 0000 c0a8 0202
	0x0030:  c0a8 0201 0000 0000 0019 d12a baa8 0000
	0x0040:  0000 0000 0000 0000 5669 7665 6b2d 4769
	0x0050:  7465 732d 4d61 6342 6f6f 6b2e 6c6f 6361
	0x0060:  6c00 0000 0000 0000 0000 0000 0000 0000
	0x0070:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0080:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0090:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0100:  0000 0000 0000 0000 6382 5363 3501 0236
	0x0110:  04c0 a802 0133 0400 014e 2001 04ff ffff
	0x0120:  0003 04c0 a802 0106 04c0 a802 01ff 0000
	0x0130:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0140:  0000 0000 0000 0000
15:41:02.007682 00:19:d1:2a:ba:a8 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:19:d1:2a:ba:a8, length 300
	0x0000:  4510 0148 0000 0000 8011 3996 0000 0000
	0x0010:  ffff ffff 0044 0043 0134 0323 0101 0600
	0x0020:  ba97 e476 0006 0000 0000 0000 0000 0000
	0x0030:  0000 0000 0000 0000 0019 d12a baa8 0000
	0x0040:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0050:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0060:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0070:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0080:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0090:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0100:  0000 0000 0000 0000 6382 5363 3501 0336
	0x0110:  04c0 a802 0132 04c0 a802 020c 0d76 6976
	0x0120:  656b 2d64 6573 6b74 6f70 370d 011c 0203
	0x0130:  0f06 770c 2c2f 1a79 2aff 0000 0000 0000
	0x0140:  0000 0000 0000 0000
15:41:02.085415 00:22:41:2f:f4:0a > 00:19:d1:2a:ba:a8, ethertype IPv4 (0x0800), length 342: 192.168.2.1.67 > 192.168.2.2.68: BOOTP/DHCP, Reply, length 300
	0x0000:  4500 0148 74c2 0000 ff11 c08e c0a8 0201
	0x0010:  c0a8 0202 0043 0044 0134 6b61 0201 0600
	0x0020:  ba97 e476 0000 0000 0000 0000 c0a8 0202
	0x0030:  c0a8 0201 0000 0000 0019 d12a baa8 0000
	0x0040:  0000 0000 0000 0000 5669 7665 6b2d 4769
	0x0050:  7465 732d 4d61 6342 6f6f 6b2e 6c6f 6361
	0x0060:  6c00 0000 0000 0000 0000 0000 0000 0000
	0x0070:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0080:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0090:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0100:  0000 0000 0000 0000 6382 5363 3501 0536
	0x0110:  04c0 a802 0133 0400 014e 2001 04ff ffff
	0x0120:  0003 04c0 a802 0106 04c0 a802 01ff 0000
	0x0130:  0000 0000 0000 0000 0000 0000 0000 0000
	0x0140:  0000 0000 0000 0000

Above output is not very useful. So you can use the dhcpdump command as follows:
dhcpdump -i eth0
Sample outputs:

  TIME: 2010-05-06 15:42:33.000
    IP: 0.0.0.0 (0:19:d1:2a:ba:a8) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)
    OP: 1 (BOOTPREQUEST)
 HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: e16fef09
  SECS: 0
 FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: 00:19:d1:2a:ba:a8:00:00:00:00:00:00:00:00:00:00
 SNAME: .
 FNAME: .
OPTION:  53 (  1) DHCP message type         3 (DHCPREQUEST)
OPTION:  50 (  4) Request IP address        192.168.2.2
OPTION:  12 ( 13) Host name                 vivek-desktop
OPTION:  55 ( 13) Parameter Request List      1 (Subnet mask)
					     28 (Broadcast address)
					      2 (Time offset)
					      3 (Routers)
					     15 (Domainname)
					      6 (DNS server)
					    119 (Domain Search)
					     12 (Host name)
					     44 (NetBIOS name server)
					     47 (NetBIOS scope)
					     26 (Interface MTU)
					    121 (Classless Static Route)
					     42 (NTP servers)
					    
---------------------------------------------------------------------------

  TIME: 2010-05-06 15:42:40.003
    IP: 0.0.0.0 (0:19:d1:2a:ba:a8) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)
    OP: 1 (BOOTPREQUEST)
 HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: e16fef09
  SECS: 7
 FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: 00:19:d1:2a:ba:a8:00:00:00:00:00:00:00:00:00:00
 SNAME: .
 FNAME: .
OPTION:  53 (  1) DHCP message type         3 (DHCPREQUEST)
OPTION:  50 (  4) Request IP address        192.168.2.2
OPTION:  12 ( 13) Host name                 vivek-desktop
OPTION:  55 ( 13) Parameter Request List      1 (Subnet mask)
					     28 (Broadcast address)
					      2 (Time offset)
					      3 (Routers)
					     15 (Domainname)
					      6 (DNS server)
					    119 (Domain Search)
					     12 (Host name)
					     44 (NetBIOS name server)
					     47 (NetBIOS scope)
					     26 (Interface MTU)
					    121 (Classless Static Route)
					     42 (NTP servers)
					    
---------------------------------------------------------------------------

  TIME: 2010-05-06 15:42:40.006
    IP: 192.168.2.1 (0:22:41:2f:f4:a) > 192.168.2.2 (0:19:d1:2a:ba:a8)
    OP: 2 (BOOTPREPLY)
 HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: e16fef09
  SECS: 0
 FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 192.168.2.2
SIADDR: 192.168.2.1
GIADDR: 0.0.0.0
CHADDR: 00:19:d1:2a:ba:a8:00:00:00:00:00:00:00:00:00:00
 SNAME: viveksrouter_devel
 FNAME: .
OPTION:  53 (  1) DHCP message type         5 (DHCPACK)
OPTION:  54 (  4) Server identifier         192.168.2.1
OPTION:  51 (  4) IP address leasetime      85536 (23h45m36s)
OPTION:   1 (  4) Subnet mask               255.255.255.0
OPTION:   3 (  4) Routers                   192.168.2.1
OPTION:   6 (  4) DNS server                192.168.2.1
---------------------------------------------------------------------------

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

3 comment

MarcusDictomia says:
May 19, 2010 at 2:28 pm
Very nice tip!
Especially to filter data via shell scripts, it can be very useful.
Thanks!
Roni says:
May 3, 2012 at 4:04 pm
Very Very usefull … Thanks .. you save my life …

Useful legacy tcpdump options examples:
1.Broadcast DHCP packet in L2 network from host, filtered by host MAC:
tcpdump -nnvXSs 0 port bootps or port bootpc and ether host 00:19:d1:2a:ba:a8
2.Unicast DHCP packet through L3 router (used with DHCP Relay/IP-helper), filtered by Client MAC in BOOTP Header, must be used last 4 bytes of MAC:
tcpdump -nnvXSs 0 -i eth0 '((port 67 or port 68) and (udp[38:4] = 0xd12abaa8))'
Example of output:

15:43:37.509861 IP (tos 0x10, ttl  64, id 0, offset 0, flags [none], proto 17, length: 361) 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:19:d1:2a:ba:a8, length: 333, xid:0x79bd7422, flags: [none]
          Client Ethernet Address: 00:19:d1:2a:ba:a8
          Vendor-rfc1048:
            DHCP:DISCOVER
            PR:SM+TZ+DG+NS+LOG+HN+DN+MTU+BR+NTP+VO+RQ+LT
(SM-subnet mask, DG - default gateway, NS - name server, ...)
            VC:"1332"
            CID:"^F^@M-PPEM-a."
Option 82 is also visible (not pasted here) in listing in both formats - HEX and ASCII.

15:43:38.510594 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto 17, length: 381) 192.168.20.40.67 > 192.168.20.196.68: BOOTP/DHCP, Reply, length: 353, xid:0x79bd7422, flags: [none]
          Your IP: 192.168.20.196
          Server IP: 192.168.20.40
          Client Ethernet Address: 00:19:d1:2a:ba:a8
          sname "192.168.20.40"
          Vendor-rfc1048:
            DHCP:OFFER
            SID:192.168.20.40
            LT:3600
            SM:255.255.255.0
            DG:192.168.20.1
            NS:192.168.20.40
            HN:"http://192.168.20.34"
            DN:"somedomain.com"
            NTP:192.168.20.40

Have a question? Post it on our forum!

nixCraft