Fork me on GitHub

Recently at $WORK we’ve been having some strange issues with a particular Xen VM not getting DHCP. Traditional (tail -f dhcpd.log) debugging hasn’t turned up much, other than the server is getting the DISCOVER but not sending out an OFFER. I’ve turned to packet captures to try and track down the problem. Of course, this is where tcpdump and wireshark come into play. So I thought I’d share some of the filters that I’ve been using, and a few that I developed.

tcpdump filter for CDP (I should have this memorized by now) from SWeidner:

tcpdump -nn -v -i eth0 -s 1500 -c 1 'ether[20:2] == 0x2000'

Wireshark display filter for a specific DHCP client (by MAC):

bootp.hw.mac_addr == 00:11:22:33:44:55

tcpdump filter to match DHCP packets including a specific Client MAC Address:

tcpdump -i br0 -vvv -s 1500 '((port 67 or port 68) and (udp[38:4] = 0x3e0ccf08))'

tcpdump only allows matching on a maximum of 4 bytes (octets), not the 6 bytes of a MAC address. So, in the above example, we match the last 4 bytes (presumably the most unique) - our original MAC address was 00:16:3e:0c:cf:08, so we match on 3e0ccf08. The udp[38:4] matches from the 38th octet after the start of the UDP header (so the comparison starts on the 39th octet) and compares a chunk 4 octets long. The UDP header is 8 octets long, followed immediately by the DHCP header, and the Client MAC Address field is composed of octets 29-35 of the DHCP header. Therefore, 8 octets for UDP header + 28 octets until Client MAC Address + 2 octets offset (drop the first 2 octets of MAC address to allow a 4 octet comparison) = 38 (our total offset).

This can also be modified as a Wireshark display filter:

udp[38:4]==3e:0c:cf:08

Using the same logic, a tcpdump filter to capture packets sent by the client (DISCOVER, REQUESTINFORM):

tcpdump -i br0 -vvv -s 1500 '((port 67 or port 68) and (udp[8:1] = 0x1))'

Finally, a tcpdump filter for DHCPDISCOVER packets (this makes the possibly flawed ass-umption that Option 53 will be the first option set:

udp[247:4] = 0x63350101

and a wireshark display filter:

udp[247:4]==63:35:01:01

And the same thing for DHCPREQUEST packets:

udp[247:4] = 0x63350103

and a wireshark display filter:

udp[247:4]==63:35:01:03

Comments

comments powered by Disqus