Watch dump dhcp requests on local network

Revision history
Tags: tcpdump network

I am already connected to the local network, and I’m about to plug in a new, headless, device on the network. Since there are several other devices on the network, it’s not trivial to find the IP address of it using arp-scan alone.

Start dumping all DHCP traffic on the local network. Here, my network interface is enp3s0, and using -n to avoid hostname resolution and -e to also dump the link-layer address (MAC address) of the hosts.

First I’m starting tcpdump, then I’m plugging in the device

# tcpdump -nei enp3s0 port 67 or port 68
23:00:12.566761 9a:a6:02:00:00:00 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 381: > BOOTP/DHCP, Request from 9a:a6:02:00:00:00, length 339

DHCP is using TCP ports 67 and 68

Right after plugging it in, traffic appears. Now, I can run arp-scan on the same interface to map it to an IP address. Filtering through grep to reduce amount of output.

# arp-scan -lI enp3s0 | grep 9a:a6:02:00:00:00	9a:a6:02:00:00:00	(Unknown)


If you have any comments or feedback, please send me an e-mail. (stig at stigok dotcom).

Did you find any typos, incorrect information, or have something to add? Then please propose a change to this post.

Creative Commons License This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.