Skip to Content

Tcpdump: capture DHCP & DHCPv6 packets

DHCP is a network protocol used on IP networks where a DHCP server automatically assigns an IP address and other information to each host on the network. We can use tcpdump command to filter DHCP packets.

How DHCP Works?

DHCP operations fall into four phases: server discovery, IP lease offer, IP lease request, and IP lease acknowledgment. These stages are often abbreviated as DORA for discovery, offer, request, and acknowledgment.

DISCOVER: Client connects to the network and sends out a broadcast discovery looking for its DHCP information.

OFFER: The server offers the DHCP information to the client

REQUEST: The client requests verification of the DHCP information

ACK: The server acknowledges the DHCP request

How to use tcpdump to filter dhcp packets v4?

DHCP v4 traffic operates on port 67 (Server) and port 68 (Client). So we can capture the appropriate traffic with the following expression. (v4)

This command starts a packet capture using the tcpdump utility on interface eth0, filtering for UDP packets with a source or destination port of 67 (DHCP server) or 68 (DHCP client).

The -vvv option enables verbose output, providing additional information about the packets being captured.

tcpdump -i eth0 udp port 67 and port 68 -vvv

How to use tcpdump to filter dhcpv6 packets?

DHCPv6 uses UDP port number 546 for clients and port number 547 for servers.

tcpdump -i eth0 -n -vv ‘(udp port 546 and port 547)’

The options used in the command are:

Option Description
-i eth0 Specifies the interface on which to capture network traffic, in this case, eth0.
-n Displays IP addresses instead of resolving them to hostnames, which can make the output faster.
-vv Increases the verbosity level of the output to show more details about the captured packets.
‘(udp port 546 and port 547)’ Sets a filter to capture only packets that use the UDP protocol and have source or destination ports 546 and 547.

How to use tcpdump to filter dhcp packets based on MAC address?

tcpdump -i eth0 -vvv -s 1500 '((port 67 or port 68) and (udp[38:4] = 0x3e0ccf08))'

This Sets a filter to capture only packets that use the UDP protocol and have a specific value in their payload.

Specifically, this filter captures packets that have either source or destination port 67 or 68 and that have a 4-byte value starting at byte 38 in their payload that matches the hexadecimal value 0x3e0ccf08.

Tcpdump provides several options that enhance or modify its output. The following are the commonly used options for tcpdump command.

Option Description
-i Listen on the specified interface.
-n Don’t resolve hostnames. You can use -nn to don’t resolve hostnames or port names.
-t Print human-readable timestamp on each dump line, -tttt: Give maximally human-readable timestamp output.
-X Show the packet’s contents in both hex and ascii.
-v, -vv, -vvv enables verbose logging/details (which among other things will give us a running total on how many packets are captured
-c N Only get N number of packets and then stop.
-s Define the snaplength (size) of the capture in bytes. Use -s0 to get everything, unless you are intentionally capturing less.
-S Print absolute sequence numbers.
-q Show less protocol information.
-w Write the raw packets to file
-C file_size(M) tells tcpdump to store up to x MB of packet data per file.
-G rotate_seconds Create a new file every time the specified number of seconds has elapsed.

Related post:

Learn tcpdump quick guide

20 Advanced Tcpdump Examples On Linux

10 Useful Linux tcpdump command examples

Tcpdump: Filter ICMPv6 Packets