How do I dump DHCP packets under Linux / UNIX for monitoring or debugging purpose?
You can parse DHCP packets using tcpdump and dhcpdump programs. dhcpdump provides a tool for visualization of DHCP packets as recorded and output by tcpdump to analyze DHCP server responses.
Install dhcpdump
Type the following command:
# apt-get install dhcpdump
OR
# yum install dhcpdump
How Do I Use tcpdump To Capture DHCP Output?
Type the command as follows:
# tcpdump -lenx -i eth0 -s 1500 port bootps or port bootpc
Sample outputs:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes 15:40:56.555424 00:19:d1:2a:ba:a8 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:19:d1:2a:ba:a8, length 300 0x0000: 4510 0148 0000 0000 8011 3996 0000 0000 0x0010: ffff ffff 0044 0043 0134 b321 0101 0600 0x0020: ba97 e476 0000 0000 0000 0000 0000 0000 0x0030: 0000 0000 0000 0000 0019 d12a baa8 0000 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 0x0090: 0000 0000 0000 0000 0000 0000 0000 0000 0x00a0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00b0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00c0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00d0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00f0: 0000 0000 0000 0000 0000 0000 0000 0000 0x0100: 0000 0000 0000 0000 6382 5363 3501 0132 0x0110: 04c0 a802 020c 0d76 6976 656b 2d64 6573 0x0120: 6b74 6f70 370d 011c 0203 0f06 770c 2c2f 0x0130: 1a79 2aff 0000 0000 0000 0000 0000 0000 0x0140: 0000 0000 0000 0000 15:41:02.005243 00:19:d1:2a:ba:a8 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:19:d1:2a:ba:a8, length 300 0x0000: 4510 0148 0000 0000 8011 3996 0000 0000 0x0010: ffff ffff 0044 0043 0134 b31b 0101 0600 0x0020: ba97 e476 0006 0000 0000 0000 0000 0000 0x0030: 0000 0000 0000 0000 0019 d12a baa8 0000 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 0x0090: 0000 0000 0000 0000 0000 0000 0000 0000 0x00a0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00b0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00c0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00d0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00f0: 0000 0000 0000 0000 0000 0000 0000 0000 0x0100: 0000 0000 0000 0000 6382 5363 3501 0132 0x0110: 04c0 a802 020c 0d76 6976 656b 2d64 6573 0x0120: 6b74 6f70 370d 011c 0203 0f06 770c 2c2f 0x0130: 1a79 2aff 0000 0000 0000 0000 0000 0000 0x0140: 0000 0000 0000 0000 15:41:02.007532 00:22:41:2f:f4:0a > 00:19:d1:2a:ba:a8, ethertype IPv4 (0x0800), length 342: 192.168.2.1.67 > 192.168.2.2.68: BOOTP/DHCP, Reply, length 300 0x0000: 4500 0148 74c1 0000 ff11 c08f c0a8 0201 0x0010: c0a8 0202 0043 0044 0134 6e61 0201 0600 0x0020: ba97 e476 0000 0000 0000 0000 c0a8 0202 0x0030: c0a8 0201 0000 0000 0019 d12a baa8 0000 0x0040: 0000 0000 0000 0000 5669 7665 6b2d 4769 0x0050: 7465 732d 4d61 6342 6f6f 6b2e 6c6f 6361 0x0060: 6c00 0000 0000 0000 0000 0000 0000 0000 0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 0x0090: 0000 0000 0000 0000 0000 0000 0000 0000 0x00a0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00b0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00c0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00d0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00f0: 0000 0000 0000 0000 0000 0000 0000 0000 0x0100: 0000 0000 0000 0000 6382 5363 3501 0236 0x0110: 04c0 a802 0133 0400 014e 2001 04ff ffff 0x0120: 0003 04c0 a802 0106 04c0 a802 01ff 0000 0x0130: 0000 0000 0000 0000 0000 0000 0000 0000 0x0140: 0000 0000 0000 0000 15:41:02.007682 00:19:d1:2a:ba:a8 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:19:d1:2a:ba:a8, length 300 0x0000: 4510 0148 0000 0000 8011 3996 0000 0000 0x0010: ffff ffff 0044 0043 0134 0323 0101 0600 0x0020: ba97 e476 0006 0000 0000 0000 0000 0000 0x0030: 0000 0000 0000 0000 0019 d12a baa8 0000 0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 0x0090: 0000 0000 0000 0000 0000 0000 0000 0000 0x00a0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00b0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00c0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00d0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00f0: 0000 0000 0000 0000 0000 0000 0000 0000 0x0100: 0000 0000 0000 0000 6382 5363 3501 0336 0x0110: 04c0 a802 0132 04c0 a802 020c 0d76 6976 0x0120: 656b 2d64 6573 6b74 6f70 370d 011c 0203 0x0130: 0f06 770c 2c2f 1a79 2aff 0000 0000 0000 0x0140: 0000 0000 0000 0000 15:41:02.085415 00:22:41:2f:f4:0a > 00:19:d1:2a:ba:a8, ethertype IPv4 (0x0800), length 342: 192.168.2.1.67 > 192.168.2.2.68: BOOTP/DHCP, Reply, length 300 0x0000: 4500 0148 74c2 0000 ff11 c08e c0a8 0201 0x0010: c0a8 0202 0043 0044 0134 6b61 0201 0600 0x0020: ba97 e476 0000 0000 0000 0000 c0a8 0202 0x0030: c0a8 0201 0000 0000 0019 d12a baa8 0000 0x0040: 0000 0000 0000 0000 5669 7665 6b2d 4769 0x0050: 7465 732d 4d61 6342 6f6f 6b2e 6c6f 6361 0x0060: 6c00 0000 0000 0000 0000 0000 0000 0000 0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 0x0080: 0000 0000 0000 0000 0000 0000 0000 0000 0x0090: 0000 0000 0000 0000 0000 0000 0000 0000 0x00a0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00b0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00c0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00d0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00e0: 0000 0000 0000 0000 0000 0000 0000 0000 0x00f0: 0000 0000 0000 0000 0000 0000 0000 0000 0x0100: 0000 0000 0000 0000 6382 5363 3501 0536 0x0110: 04c0 a802 0133 0400 014e 2001 04ff ffff 0x0120: 0003 04c0 a802 0106 04c0 a802 01ff 0000 0x0130: 0000 0000 0000 0000 0000 0000 0000 0000 0x0140: 0000 0000 0000 0000
Above output is not very useful. So you can use the dhcpdump command as follows:
dhcpdump -i eth0
Sample outputs:
TIME: 2010-05-06 15:42:33.000 IP: 0.0.0.0 (0:19:d1:2a:ba:a8) > 255.255.255.255 (ff:ff:ff:ff:ff:ff) OP: 1 (BOOTPREQUEST) HTYPE: 1 (Ethernet) HLEN: 6 HOPS: 0 XID: e16fef09 SECS: 0 FLAGS: 0 CIADDR: 0.0.0.0 YIADDR: 0.0.0.0 SIADDR: 0.0.0.0 GIADDR: 0.0.0.0 CHADDR: 00:19:d1:2a:ba:a8:00:00:00:00:00:00:00:00:00:00 SNAME: . FNAME: . OPTION: 53 ( 1) DHCP message type 3 (DHCPREQUEST) OPTION: 50 ( 4) Request IP address 192.168.2.2 OPTION: 12 ( 13) Host name vivek-desktop OPTION: 55 ( 13) Parameter Request List 1 (Subnet mask) 28 (Broadcast address) 2 (Time offset) 3 (Routers) 15 (Domainname) 6 (DNS server) 119 (Domain Search) 12 (Host name) 44 (NetBIOS name server) 47 (NetBIOS scope) 26 (Interface MTU) 121 (Classless Static Route) 42 (NTP servers) --------------------------------------------------------------------------- TIME: 2010-05-06 15:42:40.003 IP: 0.0.0.0 (0:19:d1:2a:ba:a8) > 255.255.255.255 (ff:ff:ff:ff:ff:ff) OP: 1 (BOOTPREQUEST) HTYPE: 1 (Ethernet) HLEN: 6 HOPS: 0 XID: e16fef09 SECS: 7 FLAGS: 0 CIADDR: 0.0.0.0 YIADDR: 0.0.0.0 SIADDR: 0.0.0.0 GIADDR: 0.0.0.0 CHADDR: 00:19:d1:2a:ba:a8:00:00:00:00:00:00:00:00:00:00 SNAME: . FNAME: . OPTION: 53 ( 1) DHCP message type 3 (DHCPREQUEST) OPTION: 50 ( 4) Request IP address 192.168.2.2 OPTION: 12 ( 13) Host name vivek-desktop OPTION: 55 ( 13) Parameter Request List 1 (Subnet mask) 28 (Broadcast address) 2 (Time offset) 3 (Routers) 15 (Domainname) 6 (DNS server) 119 (Domain Search) 12 (Host name) 44 (NetBIOS name server) 47 (NetBIOS scope) 26 (Interface MTU) 121 (Classless Static Route) 42 (NTP servers) --------------------------------------------------------------------------- TIME: 2010-05-06 15:42:40.006 IP: 192.168.2.1 (0:22:41:2f:f4:a) > 192.168.2.2 (0:19:d1:2a:ba:a8) OP: 2 (BOOTPREPLY) HTYPE: 1 (Ethernet) HLEN: 6 HOPS: 0 XID: e16fef09 SECS: 0 FLAGS: 0 CIADDR: 0.0.0.0 YIADDR: 192.168.2.2 SIADDR: 192.168.2.1 GIADDR: 0.0.0.0 CHADDR: 00:19:d1:2a:ba:a8:00:00:00:00:00:00:00:00:00:00 SNAME: viveksrouter_devel FNAME: . OPTION: 53 ( 1) DHCP message type 5 (DHCPACK) OPTION: 54 ( 4) Server identifier 192.168.2.1 OPTION: 51 ( 4) IP address leasetime 85536 (23h45m36s) OPTION: 1 ( 4) Subnet mask 255.255.255.0 OPTION: 3 ( 4) Routers 192.168.2.1 OPTION: 6 ( 4) DNS server 192.168.2.1 ---------------------------------------------------------------------------
See also:
- Download dhcpdump from the official project website.
- man page tcpdump and dhcpdump
🐧 Please support my work on Patreon or with a donation.
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
- RSS feed or Weekly email newsletter
- Share on Twitter • Facebook • 3 comments... add one ↓
Category | List of Unix and Linux commands |
---|---|
File Management | cat |
Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
Network Utilities | dig • host • ip • nmap |
OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
Package Manager | apk • apt |
Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
Searching | grep • whereis • which |
User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Very nice tip!
Especially to filter data via shell scripts, it can be very useful.
Thanks!
Very Very usefull … Thanks .. you save my life …
Useful legacy tcpdump options examples:
1.Broadcast DHCP packet in L2 network from host, filtered by host MAC:
tcpdump -nnvXSs 0 port bootps or port bootpc and ether host 00:19:d1:2a:ba:a8
2.Unicast DHCP packet through L3 router (used with DHCP Relay/IP-helper), filtered by Client MAC in BOOTP Header, must be used last 4 bytes of MAC:
tcpdump -nnvXSs 0 -i eth0 '((port 67 or port 68) and (udp[38:4] = 0xd12abaa8))'
Example of output: