On Thu, Jul 01, 2004 at 02:33:43PM -0400, Ron Gallimore wrote:
> I need to create a filter that shows what ip address is assigned from
> my DHCP server to the client.
I.e., a filter to show the DHCP reply to the client?
A capture filter to do that might be
ether dst host {MAC address of the client} and udp src port 67
if the reply is sent to the client's MAC address (rather than being, for
example, broadcast) and is sent from UDP port 67 (the BOOTP server
port).
However, as DHCP is UDP-based, the reply has to have an IP destination
address of some sort - and, if the reply is giving the client an IP
address, the client probably doesn't have an IP address, so the reply
probably has to be broadcast, and, unless the DHCP server can tell the
networking stack below it "send this packet to this MAC address" *and*
get the source MAC address of the request, it'll probably be sent to the
broadcast MAC address.
Therefore, there's probably no simple filter to capture only the DHCP
reply to a particular client.
You might try
udp port 67 or udp port 68
which I think should capture all the DHCP traffic; then you'd have to
use a display filter
bootp.hw.addr == XX:XX:XX:XX:XX:XX
to search for the BOOTP/DHCP reply to the MAC address XX:XX:XX:XX:XX:XX,
which will probably be the DHCP reply giving the IP address to the
machine with that MAC address.
It *might* be possible to implement a capture filter for those packets,
given that
1) the UDP header is fixed-length
and
2) the client hardware address field in a BOOTP/DHCP packet is,
I think, at a fixed offset in the BOOTP/DHCP packet
so you could use "udp[N:M] == XXXXXXXX" filters to check the first 4 and
last 2 bytes of that field (libpcap capture filters can only check 1, 2,
or 4 bytes at a time). Constructing the two "udp[N:M] == XXXXXXXX"
values that would be "and"ed together, given a particular MAC address,
is left as an exercise for the reader.