dhcpdump

dhcpdump [options]
Common usage examples:
tcpdump -q -s 0 -w - port bootps or port bootpc | dhcpdump
dhcpdump -i eth0

-h
    Displays a brief help message and exits.

-V
    Displays version information and exits.

-i
    Reads packets directly from the specified network .
This option typically requires root privileges and might rely on internal
calls to tcpdump or similar capture mechanisms.

-r
    Reads packets from the specified PCAP instead of standard input
or a live interface.

-p
    Prevents the network interface from being put into promiscuous mode when
capturing directly via -i.

-q
    Quick (quiet) mode. Provides a more concise output by suppressing some
detailed information.

-n
    Do not resolve hostnames. Displays IP addresses numerically instead of
attempting to resolve them to hostnames.

-v
    Verbose mode. Provides more detailed output, though its exact effect can
vary between different dhcpdump implementations.

dhcpdump is a command-line utility designed to decode and display the contents of
DHCP (Dynamic Host Configuration Protocol) and BOOTP (Bootstrap Protocol)
packets in a human-readable format. It acts as a specialized dissector,
processing raw packet data, typically received from network packet capture
tools like tcpdump or tshark. Its primary function is to simplify the
analysis of DHCP/BOOTP communications, making it easier for network
administrators and engineers to troubleshoot DHCP issues, monitor client
lease assignments, and verify server responses.

When combined with packet capture tools, dhcpdump presents detailed
information such as transaction IDs, client MAC addresses, requested IP
addresses, lease times, DHCP message types (discover, offer, request, ack,
nak, decline), and various DHCP options (subnet mask, router, DNS servers, etc.).
This makes it an invaluable tool for understanding the intricacies of the
DHCP negotiation process on a network.

dhcpdump's direct packet capture capabilities (using -i or -r) are
not universally present across all implementations; some versions strictly
expect piped input from tools like tcpdump.
It relies on accurate filtering of DHCP/BOOTP traffic to avoid processing
unrelated network data.
The exact set of supported DHCP options and the output format can vary
between different versions and distributions.
Some very new or non-standard DHCP options might not be fully decoded.

The most common way to use dhcpdump is by piping the raw packet output
from a packet capture tool to its standard input. For instance,
tcpdump -q -s 0 -w - 'port bootps or port bootpc' | dhcpdump
captures all DHCP/BOOTP traffic and passes it to dhcpdump for parsing.
The -s 0 option ensures full packets are captured, -w - writes to
standard output, and the filter expression 'port bootps or port bootpc'
specifically targets DHCP/BOOTP ports (67 and 68).

dhcpdump's output is structured to highlight key DHCP transaction
details. It typically includes:
• Transaction ID (Xid): A unique identifier for the DHCP exchange.
• Message Type: Indicates the DHCP message (e.g., DISCOVER, OFFER,
REQUEST, ACK, NAK).
• Client MAC Address (Chaddr): The hardware address of the client.
• Client IP Address (Ciaddr): The client's current IP address (if applicable).
• Requested IP Address (Yiaddr): The IP address offered by the server or
requested by the client.
• Lease Time: How long the IP address is valid.
• DHCP Options: Detailed list of options like Subnet Mask, Router, DNS
Servers, Server Identifier, etc. This information is crucial for verifying
network configurations and debugging connectivity issues.

dhcpdump emerged as a specialized tool during the early days of widespread
DHCP adoption, complementing general-purpose packet sniffers like
tcpdump. Its development was driven by the need for simpler, human-readable
analysis of DHCP negotiations without requiring a full graphical protocol
analyzer. Initially, many implementations were simple scripts (e.g., Perl or
Awk) designed to parse tcpdump output. Over time, compiled binaries
providing more robust parsing and optional direct capture capabilities
became available. Its usage remains valuable for quick, focused DHCP
analysis, especially in environments where a full-fledged network analyzer
is not readily available or when debugging DHCP issues at the command line.

tcpdump(1), tshark(1), wireshark(1), dhclient(8), dhcpd(8)