Monday, January 12, 2015

Tracing DHCP packets with Tshark

Recently I needed to debug a DHCP issue for my imx6 ARM board. The best tool which I know for such purpose is the "usual suspect" - Wireshark, and namely it's console variant, tshark. The tool is wonderful and makes such task a breeze:

$ sudo tshark -i eth0 -f "udp port 67"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000      0.0.0.0 -> 255.255.255.255 DHCP 342 DHCP Discover - Transaction ID 0x2233523a
  0.000186   10.10.10.1 -> 10.10.10.8   DHCP 342 DHCP Offer    - Transaction ID 0x2233523a
  0.000422      0.0.0.0 -> 255.255.255.255 DHCP 342 DHCP Request  - Transaction ID 0x2233523a
  0.000601   10.10.10.1 -> 10.10.10.8   DHCP 342 DHCP ACK      - Transaction ID 0x2233523a
^C4 packets captured

Here's how to save the capture to a file for later inspection and/or documentation purposes:

$ sudo tshark -i eth0 -f "udp port 67" -w dhcp_capture.pcapng
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
4 ^C

Packets can now be easily viewed with the Wireshark GUI - you can use another (developer) machine for this task, and also don't need root privileges.