Recently at $WORKwe’ve been having some strange issues with a particular XenVMnot gettingDHCP. Traditional (tail -f dhcpd.log) debugging hasn’t turned up much, other than the server is getting theDISCOVERbut not sending out anOFFER. I’ve turned to packet captures to try and track down the problem. Of course, this is wheretcpdumpandwiresharkcome into play. So I thought I’d share some of the filters that I’ve been using, and a few that I developed.

tcpdump filter forCDP(I should have this memorized by now) fromSWeidner:

tcpdump -nn -v -i eth0 -s 1500 -c 1'ether[20:2] == 0x2000'

Wireshark display filter for a specificDHCPclient (byMAC):

bootp.hw.mac_addr == 00:11:22:33:44:55

tcpdump filter to matchDHCPpackets including a specific ClientMACAddress:

tcpdump -i br0 -vvv -s 1500'((port 67 or port 68) and (udp[38:4] = 0x3e0ccf08))'

tcpdump only allows matching on a maximum of 4 bytes (octets), not the 6 bytes of aMACaddress. So, in the above example, we match the last 4 bytes (presumably the most unique) - our originalMACaddress was00:16:3e:0c:cf:08, so we match on3e0ccf08. Theudp[38:4]matches from the 38th octet after the start of theUDPheader (so the comparison starts on the 39th octet) and compares a chunk 4 octets long. TheUDPheaderis 8 octets long, followed immediately by theDHCPheader, and the ClientMACAddress field is composed of octets 29-35 of theDHCPheader. Therefore, 8 octets forUDPheader + 28 octets until ClientMACAddress + 2 octets offset (drop the first 2 octets ofMACaddress to allow a 4 octet comparison) = 38 (our total?offset).

This can also be modified as a Wireshark display?filter:

udp[38:4]==3e:0c:cf:08

Using the same logic, a tcpdump filter to capture packets sent by the client (DISCOVER,REQUEST,INFORM):

tcpdump -i br0 -vvv -s 1500'((port 67 or port 68) and (udp[8:1] = 0x1))'

Finally, a tcpdump filter forDHCPDISCOVERpackets (this makes the possibly flawed ass-umption that Option 53 will be the first option?set:

udp[247:4] = 0x63350101

and a wireshark display?filter:

udp[247:4]==63:35:01:01

And the same thing forDHCPREQUESTpackets:

udp[247:4] = 0x63350103

and a wireshark display?filter:

udp[247:4]==63:35:01:03