Watch dump dhcp requests on local network
- 30 Nov 2017: Post was created (diff)
I am already connected to the local network, and I’m about to plug in a new, headless, device on the network. Since there are several other devices on the network, it’s not trivial to find the IP address of it using
Start dumping all DHCP traffic on the local network. Here, my network interface is
enp3s0, and using
-n to avoid hostname resolution and
-e to also dump the link-layer address (MAC address) of the hosts.
First I’m starting
tcpdump, then I’m plugging in the device
# tcpdump -nei enp3s0 port 67 or port 68 23:00:12.566761 9a:a6:02:00:00:00 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 381: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 9a:a6:02:00:00:00, length 339
DHCP is using TCP ports 67 and 68
Right after plugging it in, traffic appears. Now, I can run
arp-scan on the same interface to map it to an IP address. Filtering through
grep to reduce amount of output.
# arp-scan -lI enp3s0 | grep 9a:a6:02:00:00:00 10.10.3.146 9a:a6:02:00:00:00 (Unknown)