Tcpdump: capture DHCP & DHCPv6 packets
Updated: Jun 7
DHCP is a network protocol used on IP networks where a DHCP server automatically assigns an IP address and other information to each host on the network. We can use tcpdump command to filter DHCP packets.
How DHCP Works?
DHCP operations fall into four phases: server discovery, IP lease offer, IP lease request, and IP lease acknowledgment. These stages are often abbreviated as DORA for discovery, offer, request, and acknowledgment.
DISCOVER: Client connects to the network and sends out a broadcast discovery looking for its DHCP information.
OFFER: The server offers the DHCP information to the client
REQUEST: The client requests verification of the DHCP information
ACK: The server acknowledges the DHCP request
How to use tcpdump to filter dhcp packets v4?
DHCP v4 traffic operates on port 67 (Server) and port 68 (Client). So we can capture the appropriate traffic with the following expression. (v4)
tcpdump -i eth0 udp port 67 and port 68 -vvv
How to use tcpdump to filter dhcpv6 packets?
DHCPv6 uses UDP port number 546 for clients and port number 547 for servers.
tcpdump -i eth0 -n -vv '(udp port 546 and port 547)'
How to use tcpdump to filter dhcp packets based on MAC address?
tcpdump -i eth0 -vvv -s 1500 '((port 67 or port 68) and (udp[38:4] = 0x3e0ccf08))'