tcpdump commands

Capture DHCP requests

PXE pxedhcp01 ~ # tcpdump -i eth1 \(port 67 or port 68\)
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
16:12:28.564974 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:21:5e:09:60:80 (oui Unknown), length 548
16:12:28.565003 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:21:5e:09:60:80 (oui Unknown), length 548
16:12:28.565449 IP 10.30.71.10.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 316
16:12:28.565545 IP 10.30.71.10.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 316
16:12:32.602043 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:21:5e:09:60:80 (oui Unknown), length 548
16:12:32.602119 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:21:5e:09:60:80 (oui Unknown), length 548
16:12:32.602353 IP 10.30.71.10.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 316
16:12:32.602537 IP 10.30.71.10.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 316
16:12:36.666578 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:21:5e:09:60:80 (oui Unknown), length 548
16:12:36.666629 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:21:5e:09:60:80 (oui Unknown), length 548
16:12:36.666911 IP 10.30.71.10.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 316
16:12:36.667052 IP 10.30.71.10.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 316
^C
12 packets captured
12 packets received by filter
0 packets dropped by kernel
PXE pxedhcp01 ~ #

tcpdump -n -i any port 67 or port 68 or port 69 will also work

Capture specific MAC address

tcpdump "ether host 00:14:5e:3c:93:ea"

Capture all traffic except ssh

tcpdump -n -i eth0 not port ssh

Share