DHCP debugging with tcpdump


tcpdump filter to match DHCP packets including a specific Client MAC Address:

tcpdump -i br0 -vvv -s 1500 '((port 67 or port 68) and (udp[38:4] = 0x3e0ccf08))'

tcpdump filter to capture packets sent by the client (DISCOVER, REQUEST, INFORM):

tcpdump -i br0 -vvv -s 1500 '((port 67 or port 68) and (udp[8:1] = 0x1))'

Sample output :


 21:38:05.644153 IP (tos 0x0, ttl 64, id 32104, offset 0, flags [none], proto UDP (17), length 374)
     0.0.0.0.bootpc > 255.255.255.255.bootps: [udp sum ok] BOOTP/DHCP, Request from 12:42:82:cb:7a:7e (oui Unknown), length 346, xid 0xd01f0ad4, secs 18694, Flags [none] (0x0000)
   Client-Ethernet-Address 12:42:82:cb:7a:7e (oui Unknown)
   Vendor-rfc1048 Extensions
     Magic Cookie 0x63825363
     DHCP-Message Option 53, length 1: Discover
     Client-ID Option 61, length 7: ether 12:42:82:cb:7a:7e
     SLP-NA Option 80, length 0""
     NOAUTO Option 116, length 1: Y
     MSZ Option 57, length 2: 1472
     Vendor-Class Option 60, length 49: "dhcpcd-7.1.0:Linux-4.19.59-sunxi:armv7l:Allwinner"
     Hostname Option 12, length 11: "whiteorange"
     T145 Option 145, length 1: 1
     Parameter-Request Option 55, length 15: 
       Subnet-Mask, Classless-Static-Route, Static-Route, Default-Gateway
       Domain-Name-Server, Hostname, Domain-Name, MTU
       BR, NTP, Lease-Time, Server-ID
       RN, RB, Option 119
     END Option 255, length 0 

…And yes it is an orangepi zero for those playing at home..

nJoy 😉

Leave a Reply

Your email address will not be published. Required fields are marked *