Debugging DHCP session with dhcpdump
Today I've came across interesting way to debug what's going on during DHCP session. What especially I was interested at were the DHCP options, which the clients in my testing environment were sending. And especially option 93, which is holding the architecture type of the client as defined by RFC 4578.
Initially my approach was to try to get the data directly from the raw tcpdump session, while filtering only DHCP traffic, but after spending few minutes on this I realized that I'd better view it in a more friendly way (I was definitely looking for something like the wireshark's interface, but for the command line realm). I start researching, whether any tool that could help me in this task already exist, and nearly immediately I came to a very interesting and helpful one, which exactly helped me to achieve what I wanted. The name of the tool is dhcpdump.
The idea behind the tool is to parse the output of the tcpdump, and display it in a human readable format. I've installed it as a rpm under my CentOS box. The package I got from repoforge.
After installing the rpm, and reading the man I was able to gather the info I needed immediately. Below is an example output of this tool:
[root@testserver01 ~]# [root@testserver01 ~]# tcpdump -lenx -s 1500 port bootps or port bootpc | dhcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes TCPdump 3.8.x output TIME: 15:54:23.478149 IP: > (00:50:56:94:00:01) > (Broadcast) OP: 1 (BOOTPREQUEST) HTYPE: 1 (Ethernet) HLEN: 6 HOPS: 0 XID: 57940001 SECS: 4 FLAGS: 7f80 CIADDR: 0.0.0.0 YIADDR: 0.0.0.0 SIADDR: 0.0.0.0 GIADDR: 0.0.0.0 CHADDR: 00:50:56:94:00:01:00:00:00:00:00:00:00:00:00:00 SNAME: . FNAME: . OPTION: 53 ( 1) DHCP message type 1 (DHCPDISCOVER) OPTION: 55 ( 24) Parameter Request List 1 (Subnet mask) 2 (Time offset) 3 (Routers) 5 (Name server) 6 (DNS server) 11 (Resource location server) 12 (Host name) 13 (Boot file size) 15 (Domainname) 16 (Swap server) 17 (Root path) 18 (Extensions path) 43 (Vendor specific info) 54 (Server identifier) 60 (Vendor class identifier) 67 (Bootfile name) 128 (???) 129 (???) 130 (???) 131 (???) 132 (???) 133 (???) 134 (???) 135 (???) OPTION: 57 ( 2) Maximum DHCP message size 1260 OPTION: 97 ( 17) UUID/GUID 00421403732bbd8f .B..s+.. e7e5d5fd1c8ce7a5 ........ 6c l OPTION: 93 ( 2) Client System 0000 .. OPTION: 94 ( 3) Client NDI 010201 ... OPTION: 60 ( 32) Vendor class identifier PXEClient:Arch:00000:UNDI:002001 --------------------------------------------------------------------------- TIME: 15:54:24.000937 IP: > (00:50:56:94:00:08) > (Broadcast) OP: 2 (BOOTPREPLY) HTYPE: 1 (Ethernet) HLEN: 6 HOPS: 0 XID: 57940001 SECS: 4 FLAGS: 7f80 CIADDR: 0.0.0.0 YIADDR: 10.2.0.67 SIADDR: 10.2.0.93 GIADDR: 0.0.0.0 CHADDR: 00:50:56:94:00:01:00:00:00:00:00:00:00:00:00:00 SNAME: . FNAME: /pxelinux.0. OPTION: 53 ( 1) DHCP message type 2 (DHCPOFFER) OPTION: 54 ( 4) Server identifier 10.2.0.93 OPTION: 51 ( 4) IP address leasetime 21600 (6h) OPTION: 1 ( 4) Subnet mask 255.255.255.0 OPTION: 3 ( 4) Routers 10.2.0.254 OPTION: 6 ( 4) DNS server 10.2.0.254 OPTION: 12 ( 3) Host name client --------------------------------------------------------------------------- TIME: 15:54:25.563625 IP: > (00:50:56:94:00:01) > (Broadcast) OP: 1 (BOOTPREQUEST) HTYPE: 1 (Ethernet) HLEN: 6 HOPS: 0 XID: 57940001 SECS: 4 FLAGS: 7f80 CIADDR: 0.0.0.0 YIADDR: 0.0.0.0 SIADDR: 0.0.0.0 GIADDR: 0.0.0.0 CHADDR: 00:50:56:94:00:01:00:00:00:00:00:00:00:00:00:00 SNAME: . FNAME: . OPTION: 53 ( 1) DHCP message type 3 (DHCPREQUEST) OPTION: 50 ( 4) Request IP address 10.2.0.67 OPTION: 55 ( 24) Parameter Request List 1 (Subnet mask) 2 (Time offset) 3 (Routers) 5 (Name server) 6 (DNS server) 11 (Resource location server) 12 (Host name) 13 (Boot file size) 15 (Domainname) 16 (Swap server) 17 (Root path) 18 (Extensions path) 43 (Vendor specific info) 54 (Server identifier) 60 (Vendor class identifier) 67 (Bootfile name) 128 (???) 129 (???) 130 (???) 131 (???) 132 (???) 133 (???) 134 (???) 135 (???) OPTION: 57 ( 2) Maximum DHCP message size 1260 OPTION: 54 ( 4) Server identifier 10.2.0.93 OPTION: 97 ( 17) UUID/GUID 00421403732bbd8f .B..s+.. e7e5d5fd1c8ce7a5 ........ 6c l OPTION: 93 ( 2) Client System 0000 .. OPTION: 94 ( 3) Client NDI 010201 ... OPTION: 60 ( 32) Vendor class identifier PXEClient:Arch:00000:UNDI:002001 --------------------------------------------------------------------------- TIME: 15:54:25.568186 IP: > (00:50:56:94:00:08) > (Broadcast) OP: 2 (BOOTPREPLY) HTYPE: 1 (Ethernet) HLEN: 6 HOPS: 0 XID: 57940001 SECS: 4 FLAGS: 7f80 CIADDR: 0.0.0.0 YIADDR: 10.2.0.67 SIADDR: 10.2.0.93 GIADDR: 0.0.0.0 CHADDR: 00:50:56:94:00:01:00:00:00:00:00:00:00:00:00:00 SNAME: . FNAME: /pxelinux.0. OPTION: 53 ( 1) DHCP message type 5 (DHCPACK) OPTION: 54 ( 4) Server identifier 10.2.0.93 OPTION: 51 ( 4) IP address leasetime 21600 (6h) OPTION: 1 ( 4) Subnet mask 255.255.255.0 OPTION: 3 ( 4) Routers 10.2.0.254 OPTION: 6 ( 4) DNS server 10.2.0.254 OPTION: 12 ( 3) Host name client --------------------------------------------------------------------------- |
As you can see the output is friendly enough for reading the entire content of the DHCP packets. I was able to examine the options I needed and continue further with the experimentation. I find this as a nice little tool, which I'll definitely keep on my list 🙂
February 13th, 2016 - 21:04
Hi, I think your blog might be having browser compatibility
issues. When I look at your website in Chrome, it looks fine but when opening in Internet Explorer, it has
some overlapping. I just wanted to give you a quick heads up!
Other then that, excellent blog!