LinuxCommandLibrary

dhcpdump

Capture and analyze DHCP network traffic

SYNOPSIS

dhcpdump [-i interface] [-v] [-t] [-h] [-a] [-f pcapfile] [-s|-S sipaddr] [-c|-C cipaddr]

PARAMETERS

-i iface
    Capture packets on specified network interface (default: all interfaces)

-v
    Verbose mode: print undecoded options in hex

-t
    Print timestamps on each line

-h
    Print hex dump of each DHCP packet

-a
    Display ARP 'who-has' requests alongside DHCP

-f pcapfile
    Read packets from pcap file instead of live capture

-s sipaddr
    Show only packets from source IP address

-S sipaddr
    Hide packets from source IP address

-c cipaddr
    Show only packets with client IP address

-C cipaddr
    Hide packets with client IP address

DESCRIPTION

dhcpdump is a specialized Linux command-line tool for capturing and dissecting Dynamic Host Configuration Protocol (DHCP) packets. It listens on network interfaces or reads from pcap files, decoding DHCPv4 messages like DISCOVER, OFFER, REQUEST, ACK, and INFORM into a human-readable format. Output includes key details such as transaction IDs, client/server MAC addresses, assigned IP addresses, lease durations, subnet masks, gateways, DNS servers, and vendor-specific options.

This utility excels in troubleshooting DHCP environments, identifying rogue servers, lease conflicts, or configuration errors. Unlike generic sniffers like tcpdump, dhcpdump provides protocol-specific parsing, making it easier to spot issues without manual hex inspection. Features include filtering by IP/MAC, verbose hex dumps, timestamps, and ARP integration for address resolution.

Typically run with root privileges for live capture: dhcpdump -i eth0. It supports both real-time monitoring and offline analysis, aiding network admins in diagnosing connectivity problems in dynamic IP setups.

CAVEATS

Requires root privileges for live interface capture. Primarily supports DHCPv4; limited IPv6 handling. Does not support advanced BPF filters natively (use tcpdump for capture). May miss some proprietary vendor options.

BASIC USAGE EXAMPLE

sudo dhcpdump -i eth0 -v -t
Capture live DHCP on eth0 with timestamps and verbose hex for options.

OFFLINE ANALYSIS

dhcpdump -f capture.pcap -h
Decode pcap file with full hex dumps (pcap from tcpdump -w).

HISTORY

Developed by Eric Biederman around 1999-2000 as a lightweight DHCP dissector. Maintained sporadically; available in most Linux distros via dhcpdump package. Remains popular for its simplicity despite newer tools.

SEE ALSO

tcpdump(1), tshark(1), dhclient(8), wireshark(1)

Copied to clipboard