Friday, 04 March 2016 01:47

DHCP Filters using TCPDump to extract IP and Mac Address

Written by 
Rate this item
(0 votes)

TCPDump filter DHCP Requests

Extract Requested IP Address and client Mac Address during the DHCP Handshake

This page is always updated and may change without any notice.  It is a personal collection of links, information, tips & tricks, and guides for the given subject as I explore new ideas and projects.

 

Basic TCPDump Capture Filters

Capture using TCPDump

sudo tcpdump -ni wlan0 -vvv

 

Capture using TCPDump writing to file

sudo tcpdump -ni wlan0 -vvv -w test1.pcap

 

Capture using TCPDump with capture filter udp port 67 or 68

sudo tcpdump -ni wlan0 -vvv 'udp port 67 or udp port 68'

 

Capture using TCPDump with capture filter udp port 67

sudo tcpdump -ni wlan0 -vvv 'udp port 67'

 

Capture using TCPDump with capture filter udp port 67 and DHCP-(DISCOVER, REQUEST, INFORM)

sudo tcpdump -ni wlan0 -vvv '((udp port 67) and (udp[8:1] = 0x1))'

 

Capture using TCPDump with capture filter udp port 67 and DHCP REQUEST (assuming option 53 wil be the first option set) 247 = starting with 0, counting from start of UDP Header (and couting 4), so 248th octet will be 0x63

sudo tcpdump -ni wlan0 -vvv '((udp port 67) and (udp[247:4] = 0x63350103))'

This could omit results if the client does not use option 53 first

 

Piping TCPDump output

You need to add the flag -l in the tcpdump command

sudo tcpdump -ni wlan0 -vvv '((udp port 67) and (udp[8:1] = 0x1))' | grep -i 'requested-ip'

produces no output

 

sudo tcpdump -l -ni wlan0 -vvv '((udp port 67) and (udp[8:1] = 0x1))' | grep -i 'requested-ip'

produced

Requested-IP Option 50, length 4: 192.168.138.141

 

We want 2 lines of data, Requested-IP & Client-ID

We had the flag -s 0 to TCPDump (to show entire packet, just in case) and -E to grep to add multple patterns

sudo tcpdump -l -s 0 -ni wlan0 -vvv '((udp port 67) and (udp[8:1] = 0x1))' | grep -E -i 'requested-ip|client-id'

produced

Client-ID Option 61, length 7: ether 14:b4:84:87:f9:d9
Requested-IP Option 50, length 4: 192.168.138.141

 

Further parse the information, we have the data we want in both lines at the end of a space delimited string, so we'll use awk

sudo tcpdump -l -s 0 -ni wlan0 -vvv '((udp port 67) and (udp[8:1] = 0x1))' | grep --line-buffered -E -i 'requested-ip|client-id' | awk '{print $NF}'

produced

14:b4:84:87:f9:d9
192.168.138.141

We added --line-buffered to the grep command to force each line out throgh the pipe, awk field seperator by default is a space, and $NF prints the last field

 

Additional Information

TCPDump Man Page

http://www.tcpdump.org/tcpdump_man.html

 

TCPDump Man Page with examples

http://www.cyberciti.biz/howto/question/man/tcpdump-man-page-with-examples.php

 

Capture Filters

https://wiki.wireshark.org/CaptureFilters

 

TCPDump Advanced Filters

https://www.wains.be/pub/networking/tcpdump_advanced_filters.txt

 

PCAP Filters

https://www.wireshark.org/docs/man-pages/pcap-filter.html

 

Using Advanced PCAP Filters

https://support.f5.com/kb/en-us/solutions/public/2000/200/sol2289.html

 

PCAP capture file database - need to register with email address (check your spam folder)

http://www.pcapr.net/home

 

 

Read 8131 times Last modified on Friday, 04 March 2016 18:46
Algis Salys

Creator and owner of algissalys.com.  Linux enthusiast, electronics tinkerer, and likes to spend time in the workshop building and creating new projects.