Tcpdump: capture DHCP & DHCPv6 packets

Updated: Jan 26

DHCP is a network protocol used on IP networks where a DHCP server automatically assigns an IP address and other information to each host on the network. We can use tcpdump command to filter DHCP packets.


How DHCP Works?

DHCP operations fall into four phases: server discovery, IP lease offer, IP lease request, and IP lease acknowledgment. These stages are often abbreviated as DORA for discovery, offer, request, and acknowledgment.


DISCOVER: Client connects to the network and sends out a broadcast discovery looking for its DHCP information.

OFFER: The server offers the DHCP information to the client

REQUEST: The client requests verification of the DHCP information

ACK: The server acknowledges the DHCP request


How to use tcpdump to filter dhcp packets v4?

DHCP v4 traffic operates on port 67 (Server) and port 68 (Client). So we can capture the appropriate traffic with the following expression. (v4)

tcpdump  -i eth0 udp port 67 or port 68 -vvv

How to use tcpdump to filter dhcpv6 packets?

DHCPv6 uses UDP port number 546 for clients and port number 547 for servers.

tcpdump -i eth0 -n -vv '(udp port 546 or port 547)'


How to use tcpdump to filter dhcp packets based on MAC address?

tcpdump -i eth0 -vvv -s 1500 '((port 67 or port 68) and (udp[38:4] = 0x3e0ccf08))'

Related post:

Learn tcpdump quick guide

20 Advanced Tcpdump Examples On Linux

10 Useful Linux tcpdump command examples

Tcpdump: Filter ICMPv6 Packets

Thanks a lot for your support.


875 views

Join our mail group. Get a free Linux account on Cloud.

Never miss a post!

Want a free Linux account?  This account can be used to login to our cloud server and practice Linux commands.

 
kamateravps.gif
topbackgroud.png

✔ Linux Commands   ✔ Linux Skills    ✔ LinuxPerformance   ✔ Linux Interview

Some articles are from the public internet. If you find your article misused or undesired here and you don't want us to display it, please let us know and we'll remove it immediately.