I am looking for the answer why packet captures in Wireshark doesn't contain DHCP offer message. I was trying to capture packets directly on the computer with installed Wireshark and doing a SPAN monitor port.
In both situations I am not able to see DHCP offer as on the following screen:
I am using Wireshark 2.6.4 on MacOS Mojave.
Below is the simple diagram with a topology:
Here is the switch configuration:
interface Vlan47
ip address x.x.x.1 255.255.255.0
!
interface Vlan49
ip address x.x.x.1 255.255.255.0
ip helper-address x.x.x.55
!
SPAN monitor destination interface
switchport access vlan 21
switchport mode access
switchport nonegotiate
switchport block unicast
no logging event link-status
access-session port-control auto
mab
dot1x pae authenticator
dot1x timeout tx-period 3
storm-control broadcast level 2.00
storm-control multicast level 5.00
storm-control action trap
spanning-tree portfast
service-policy type control subscriber policy_name
ip dhcp snooping limit rate 100
!
SPAN monitor source port
switchport access vlan 49
switchport mode access
switchport nonegotiate
switchport block unicast
switchport port-security maximum 2
switchport port-security maximum 1 vlan access
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
switchport port-security
no logging event link-status
mab
dot1x pae authenticator
dot1x timeout tx-period 3
access-session port-control force-authorized
storm-control broadcast level 2.00
storm-control multicast level 5.00
storm-control action trap
spanning-tree portfast
service-policy type control subscriber policy_name
ip verify source
ip dhcp snooping limit rate 100
!
DHCP server port
interface Port-channel1
switchport trunk allowed vlan 47,70
switchport mode trunk
switchport nonegotiate
switchport block unicast
ip arp inspection trust
ip arp inspection limit rate 100
logging event link-status
storm-control broadcast level 5.00
storm-control multicast level 10.00
storm-control action trap
ip dhcp snooping limit rate 1000
ip dhcp snooping trust
!
!
sh monit sess all
Session 1
---------
Type : Local Session
Source Ports :
Both : SPAN source port
Destination Ports : SPAN dst port
Encapsulation : Native
Ingress : Disabled
!
!
Best Answer
This is a bug/limitation of the recent versions of the capture driver of WireShark
On MacOs Mojave 10.14.3 or 10.14.4, with WireShark 2.4.1 or 2.4.13 capturing, unfiltered traffic we can see the DHCP offer:
Upgrading to WireShark 2.6.4 and performing the exact same capture, the DHCP Offer appears no more.
Upgrading to WireShark 3.0.0 yield the same result (no DHCP offer)
Opening with V2.6.4/3.0 the capture file made in V2.4.1, it is there.
Capturing with V2.6.4 / 3.0 then opening the capture in V2.4.1 it is still missing.
Install Wireshark 2.4.13 in a Mac OS VM , DHCP offer appears, copying (not installing) the WS 3.0 app in this VM, the DHCP offer still appears.