Tcpdump: capture DHCP & DHCPv6 packets

Table of Contents

DHCP is a network protocol used on IP networks where a DHCP server automatically assigns an IP address and other information to each host on the network. We can use tcpdump command to filter DHCP packets.

How DHCP Works?

DHCP operations fall into four phases: server discovery, IP lease offer, IP lease request, and IP lease acknowledgment. These stages are often abbreviated as DORA for discovery, offer, request, and acknowledgment.

DISCOVER: Client connects to the network and sends out a broadcast discovery looking for its DHCP information.

OFFER: The server offers the DHCP information to the client

REQUEST: The client requests verification of the DHCP information

ACK: The server acknowledges the DHCP request

How to use tcpdump to filter dhcp packets v4?

DHCP v4 traffic operates on port 67 (Server) and port 68 (Client). So we can capture the appropriate traffic with the following expression. (v4)

tcpdump -i eth0 udp port 67 and port 68 -vvv

How to use tcpdump to filter dhcpv6 packets?

DHCPv6 uses UDP port number 546 for clients and port number 547 for servers.

tcpdump -i eth0 -n -vv ‘(udp port 546 and port 547)’

How to use tcpdump to filter dhcp packets based on MAC address?

tcpdump -i eth0 -vvv -s 1500 ‘((port 67 or port 68) and (udp[38:4] = 0x3e0ccf08))’

Related post:

Learn tcpdump quick guide

20 Advanced Tcpdump Examples On Linux

10 Useful Linux tcpdump command examples

Tcpdump: Filter ICMPv6 Packets

Welcome to!

Our website is dedicated to providing comprehensive information on using Linux.

We hope you find our site helpful and informative, and we welcome your feedback and suggestions for future content.

Learn More