Re: How to print BOOTP/DHCP packets

[Guy Harris <guy () alum mit edu>]

On May 7, 2009, at 7:34 AM, Javier Gálvez Guerrero wrote:

> I want to get the information included in bootp/dhcp packets captured
> through tcpdump. I tried adding -v, -vv and -vvv options to the issued
> command but all the information I got was like this:

        ...

> I know that more information could be printed due to print-bootp.c  
> file,
> which loops through all existing dhcp options, but I don't know how  
> to do
> it. Could anyone point me to the right tcpdump option, please?

The right option is "-s".  "-s 0", to be precise:

        pike:/home/dulceangustia/tcpdump-4.0.0# tcpdump -i ra0 port bootps -vvv

The lack of a "-s" option means the default snapshot length will be  
used; in tcpdump 4.0 and previous versions, it's 96 bytes for versions  
of tcpdump that include IPv6 support and 68 bytes for versions that  
don't.  That means only the first 68 or 96 bytes of the packet are  
supplied to tcpdump.

	tcpdump: listening on ra0, link-type EN10MB (Ethernet), capture size  
96 bytes

"capture size 96 bytes" means that the snapshot length is, indeed, 96  
bytes.

	15:55:05.002857 IP (tos 0x10, ttl 128, id 0, offset 0, flags [none],  
proto
UDP (17), length 328)
           0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from
00:1c:f0:0f:fb:84 (oui Unknown), length 300, xid 0x400a6f75, Flags  
[none]
(0x0000)
             Client-Ethernet-Address 00:1c:f0:0f:fb:84 (oui Unknown) [|bootp]
15:55:05.014049 IP (tos 0x0, ttl 64, id 28669, offset 0, flags [none],  
proto
UDP (17), length 328)

"|bootp" means that the bootp print routines ran into the end of the  
captured data and stopped.

Try

        tcpdump -i ra0 -vvv -s 0 port bootps

so that tcpdump sees all the data in each packet.

-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.