Jump to content

Capture DHCP traffic using Wireshark


Recommended Posts

Step One (Select Interface)

Open Wireshark and go to (Capture -> Interfaces)

Determine which Ethernet device you are using to connect to the network. You can determine which one is being used by the number of packets sent/received.


NOTE: I’m using the one called eth0, which is my virtual network card.

Step Two (Choose Options)

Click the options button on the device being used to bring up the capture options


Uncheck the capture packets in promiscuous mode option to only see traffic that is sent and received to this network card.

Step Three (Start Capture)

Click the start button to begin capturing network traffic.

Now Wireshark is capturing all of the traffic that is sent and received by the network card.

Step Four (Filter)

We are only interested with the DHCP traffic, so on the display filter type (bootp.option.type == 53) and click apply.

The DHCP Release resulted from me typing

Linux: sudo dhclient -r

Windows: ipconfig /release

Mac: sudo ifconfig en1 down (list interfaces: networksetup -listnetworkserviceorder)


The DHCP Discover, Offer, Request, and ACK resulted from me typing

Linux: sudo dhclient eth0

Windows: ipconfig /renew

Mac: sudo ifconfig en1 up


If you look at the DHCP Response you can see the DHCP Scope Options that have been sent to the client from the DHCP Server


DHCP (Dynamic Host Configuration Protocol) Discovery

DHCP uses the same two ports assigned by IANA for BOOTP: destination UDP port 67 for sending data to the server, and UDP port 68 for data to the client.  

DHCP operations fall into four basic phases: IP discovery, IP lease offer, IP request, and IP lease acknowledgment.

DHCP clients and servers on the same subnet communicate via UDP broadcasts, initially. If the client and server are on different subnets, a DHCP Helper or DHCP Relay Agent may be used. Clients requesting renewal of an existing lease may communicate directly via UDP unicast, since the client already has an established IP address at that point.

The client broadcasts messages on the physical subnet to discover available DHCP servers. Network administrators can configure a local router (or IP Helper Address on a switch) to forward DHCP packets to a DHCP server which resides on a different subnet. This client implementation creates a User Datagram Protocol (UDP) packet with the broadcast destination of or the specific subnet broadcast address.


A DHCP client can also request its last-known IP address (in the example below, If the client remains connected to a network for which this IP is valid, the server may grant the request. Otherwise, it depends whether the server is set up as authoritative or not. An authoritative server will deny the request, making the client ask for a new IP address immediately. A non-authoritative server simply ignores the request, leading to an implementation-dependent timeout for the client to give up on the request and ask for a new IP address.



DHCP Offer

When a DHCP server receives an IP lease request from a client, it reserves an IP address for the client and extends an IP lease offer by sending a DHCPOFFER message to the client. This message contains the client's MAC address, the IP address that the server is offering, the subnet mask, the lease duration, and the IP address of the DHCP server making the offer.


The server determines the configuration based on the client's hardware address as specified in the CHADDR (Client Hardware Address) field. Here the server,, specifies the client's IP address in the YIADDR (Your IP Address) field.


DHCP Request

In response to the DHCP offer, the client replies with a DHCP request, broadcast to the server, requesting the offered address. A client can receive DHCP offers from multiple servers, but it will accept only one DHCP offer. Based on required server identification option in the request and broadcast messaging, servers are informed whose offer the client has accepted. When other DHCP servers receive this message, they withdraw any offers that they might have made to the client and return the offered address to the pool of available addresses.


DHCP Acknowledgement

When the DHCP server receives the DHCPREQUEST message from the client, the configuration process enters its final phase. The acknowledgement phase involves sending a DHCPACK packet to the client. This packet includes the lease duration and any other configuration information that the client might have requested. At this point, the IP configuration process is completed.


After the client obtains an IP address, the client may use the Address Resolution Protocol (ARP) to prevent IP conflicts caused by overlapping address pools of DHCP servers.

The protocol expects the DHCP client to configure its network interface with the negotiated parameters.


Link to comment
Share on other sites


  • Create New...