I have a router running lede with tcpdump installed
tcpdump --version
# tcpdump version 4.9.0
# libpcap version 1.8.1
When I run it like so:
tcpdump -vnes0 -i eth0 port 67 or port 68
I can see
00:00:24.122791 00:00:00:00:69:6f > ff:ff:ff:ff:ff:ff, ethertype 802.1Q (0x8100), length 346: vlan 3, p 0, ethertype IPv4, (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:00:00:00:69:6f, length 300, xid 0xc74a7577, Flags [none]
Client-Ethernet-Address 00:00:00:00:69:6f
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Request
Requested-IP Option 50, length 4: 10.1.0.228
Hostname Option 12, length 3: "hostname"
Parameter-Request Option 55, length 13:
Subnet-Mask, BR, Time-Zone, Classless-Static-Route
Domain-Name, Domain-Name-Server, Hostname, YD
YS, NTP, MTU, Option 119
Default-Gateway
but I can't see the ACK package; however, the ACK is transmitted as tcpdump -vnes0 -i eth0 shows:
00:00:25.760293 00:00:00:00:20:01 > 00:00:00:00:69:6f,
ethertype 802.1Q (0x8100), length 348: vlan 3, p 0,
ethertype IPv4, (tos 0xc0, ttl 64, id 18290, offset 0, flags [none], proto UDP (17), length 330)
10.1.0.1.67 > 10.1.0.228.68: BOOTP/DHCP, Reply, length 302, xid 0x95afbf42, Flags [none]
Your-IP 10.1.0.228
Server-IP 10.1.0.1
Client-Ethernet-Address 00:00:00:00:69:6f
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 10.1.0.1
Lease-Time Option 51, length 4: 43200
RN Option 58, length 4: 21600
RB Option 59, length 4: 37800
Subnet-Mask Option 1, length 4: 255.255.255.0
BR Option 28, length 4: 10.1.0.255
Default-Gateway Option 3, length 4: 10.1.0.1
Domain-Name-Server Option 6, length 4: 10.1.0.1
Domain-Name Option 15, length 3: "XXX"
Hostname Option 12, length 3: "hostname"
Is this a bug in tcpdump or is my filtering wrong?
Best Answer
Try:
tcpdump -vnes0 -i eth0 port 67 or 68https://danielmiessler.com/study/tcpdump/