Subscribe via feed.

Troubleshooting your DHCP Server with tcpdump

Posted by Michael on May 3, 2010 – 3:26 pm

Having issues with your DHCP server? Maybe tcpdump can help.

The first thing to do is to log onto your dhcp server, and gain root access.
=> ssh mike@dhcpserver
=> sudo -s
Next I need to verify my dhcp server is up and running

=> ps waux|grep dhcp
dhcpd 1490 0.0 0.2 16080 2452 ? S Apr26 0:00 /usr/sbin/dhcpd3 -f -d -cf /etc/dhcp3/dhcpd.conf -lf /var/lib/dhcp3/dhcpd.leases eth0

OK, so its running, now for the tcpdump. DHCP activity will happen on ports 67 and 68 so we can run a simple command like this:
=> tcpdump -n port 67 or port 68
This should give us some output like so

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
08:30:40.158223 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:22:19:a9:e8:3d, length 548
08:30:42.452181 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:22:19:a9:e8:3d, length 548
08:30:44.109164 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:22:19:a9:e8:3d, length 548
08:30:46.464025 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:f1:7b:09:3b, length 300
08:30:51.463328 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:0c:f1:7b:09:3b, length 300

If your output looks like mine above then you have a problem.. You can see clients asking for a lease but for some reason my server is not replying to them.
Once we find the problem with our DHCPd we should be able to run this command and see similar output:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
09:33:42.800945 IP 192.168.2.246.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:1a:a0:21:2f:04, length: 300
09:33:42.801949 IP 192.168.2.15.bootps > 192.168.2.246.bootpc: BOOTP/DHCP, Reply, length: 300
09:33:50.056500 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:18:8b:8a:b3:51, length: 318
09:33:50.096365 IP 192.168.2.15.bootps > 192.168.2.223.bootpc: BOOTP/DHCP, Reply, length: 323
09:34:03.377480 IP 192.168.2.222.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:24:e8:2e:a6:ec, length: 300
09:34:03.380555 IP 192.168.2.15.bootps > 192.168.2.222.bootpc: BOOTP/DHCP, Reply, length: 300
09:34:11.697196 IP 192.168.2.221.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:24:e8:2e:49:09, length: 300
09:34:11.699273 IP 192.168.2.15.bootps > 192.168.2.221.bootpc: BOOTP/DHCP, Reply, length: 300
09:35:20.272780 IP 192.168.2.161.bootpc > 192.168.2.15.bootps: BOOTP/DHCP, Request from 00:22:19:a9:e8:3d, length: 548
09:35:20.277025 IP 192.168.2.15.bootps > 192.168.2.161.bootpc: BOOTP/DHCP, Reply, length: 300

Now we can see that the server is now replying to the requests, so everything is working.

Check back soon as we cover how to find what was causing the problem with DHCP.

Tags: , , , ,
This post is under “Linux, Systems Administration” and has 3 respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

3 Responds so far- Add one»

  1. 1. Andres Said:

    GREAT publish and imvessripe in turn …will bear a try all the tips..Thanks……[]lihz 回复:六月 12th, 2012 at 下午 2:04Thanks for you praise ! Can you tell me where are you from .[]

  2. 2. abilify Said:

    they need tools equivalent to those they have long had for wiretapping phone calls. But that’s a lie, because there was never a requirement for all phone calls to be recorded all the time and stored somewhere just in case the police want to listen to it. Police already have the equivalent powers, there’s no need to archive the entire content of people’s online activites for future reference.Anyway, lawful access is another topic altogether.

Post a reply