6

As I understand it, for IPv4 I would need to capture

  • UDP port 67 and 68,
  • ARP,
  • ICMP echo request and reply,

and for IPv6 I would need

  • UDP port 546 and 547,
  • all DHCP-related multicast addresses,
  • ICMPv6 neighbor discovery.

I want to capture DHCP related traffic with tcpdump or wireshark for later analysis.

Although I want to make the filter as specific as possible to get a small capture file, I don't want to miss out on some important packets like those used to verify that an IP address is not yet taken.

Am I missing something?

Mathias Weidner
  • 417
  • 3
  • 10

3 Answers3

6

I settled with the following PCAP filter:

( udp and ( port 67 or port 68 ) )
or arp
or ( icmp and (icmp[icmptype] == 8 or icmp[icmptype] == 0 ) )
or ( udp and ( port 546 or port 547 ) )
or ( icmp6 and ( ip6[40] == 135 or ip6[40] == 136 ) )
or dst net ff02:0:0:0:0:1:ff00::/104
or dst host ff01::1
or dst host ff02::1
or dst host ff02::1:2
or ( icmp6 and ( ip6[40] == 128 or ip6[40] == 129 ) )

The first three lines catch DHCPv4, ARP (duplicate address detection) and PING.

The fourth line catches DHCPv6, lines five to eight catch duplicate address detection for IPv6. Line nine catches multicast for DHCPv6 agents and the last line is for PING6.

Of course this will catch many packets not related to the DHCP traffic. These have to be sorted out afterwards.

Maybe the PING and PING6 traffic isn't needed at all.

Mathias Weidner
  • 417
  • 3
  • 10
3

The filter port 67 or port 68 will get you the DHCP conversation itself, that is correct.

The filter arp should capture arp traffic on the subnet. This is broadcast in nature, so can be caught from any port on the subnet.

And the ICMP requests you've already outlined.

I'd say you have the comprehensive list.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
1

You want to filter for all BOOTP traffic since DHCP uses BOOTP as is comms protocol. See this:

https://wiki.wireshark.org/DHCP

tomstephens89
  • 981
  • 1
  • 11
  • 23
  • As I understand it, this would only capture the direct traffic between DHCP client and server. I'm also interested in the packets used to check whether an IP address is already taken. – Mathias Weidner Aug 16 '15 at 13:36
  • DHCP doesn't actively go out onto the network and check what IP addresses are in use. It looks at its table of leases and reservations and gives out a free address based on that. – tomstephens89 Aug 16 '15 at 13:46
  • You're right. That's why I want to capture not only DHCP traffic but (all) DHCP related traffic. Sometimes the server checks if an IP address is taken before handing it out to the client. Sometimes the client makes the check before accepting an IP address. I'd like to catch this traffic too to analyze what's going on. – Mathias Weidner Aug 16 '15 at 13:53
  • Ahhh I see, you want to capture the client side conflict test etc... in which case ARP and ICMP are what you need to capture. – tomstephens89 Aug 16 '15 at 14:11