DHCP is used to dynamically allocate information to hosts on a network, such as the IP address, default gateway, and DNS server, as well as other information. It goes without saying then that troubleshooting DHCP is a common task for any network engineer.
Troubleshoot DHCP with Wireshark
There could be multiple reasons for DHCP issues, including:
- Software bugs
- Poor network design
- Firewall misconfigurations
- Users allocating their own IP addresses
- DHCP pool misconfiguration
- IP addresses not being released or renewed correctly
Troubleshooting DHCP can be tricky and time-consuming, but if you use the Wireshark packet sniffer tool, you should be able to quickly identify the cause of the issue and then resolve it.
This is one of the labs from our 101 Labs – Wireshark WCNA course.
Learn the more common DHCP problems
Learn how to detect and analyze the more common DHCP problems
Wireshark Network Analyzer on PC, Ethernet Switch/Router (cable/WiFi)
Please use the following topology to complete this lab exercise (Pc equipped with Wireshark connected via wireless/cable to a Network Router that has access to the internet)
If DHCP doesn’t work properly, clients may not be able to obtain or maintain IP addresses or other client configurations, and one of the possible consequences is that the client can not access the Internet.
One of the most common scenarios is displayed in the figure below:
One or more hosts on the network have statically assigned addresses, and the DHCP server is unaware of this. In this situation, what happens is that it may offer an address that is already in use in the network, causing some problems because two hosts with the same IP cannot exist on the same network. The situation is displayed in the figure below:
In the network, “Client 2” exists with a static IP1, while all the other Clients have dynamic IP (DHCP assigned).
When “Client n+1” enters the network, the DHCP Server offers IP1 to the new Client. What happens is that the client can perform the duplicate address test. If the client locates another host with the same address, the DHCP client must decline the IP address provided in the DHCP Offer, but it remains with no IP address assigned.
A better alternative is that the DHCP server directly performs a duplicate address test (typically using ICMP Echo Requests) so that it can offer only IP addresses that are not already used on the network.
The situation described above is not easy to understand if we do not know the problem already existed and if we apply a DHCP approach based on a Wireshark “Capture Filter” instead of analyzing all the traffic.
Let’s suppose we capture traffic with the Capture filter “port 67 or port 68” in order to capture only dhcp messages: in this situation, we can not observe either the duplicate address test (ICMP) made by the Client or the duplicate ICMP test made by the DHCP server and we totally miss the problem.
The only thing we see is that the Client declines the dhcp offer, and we do not know why. The solution is to capture all the traffic and analyze it with Wireshark display filters.
The figure below reports some of the display filters available for DHCP protocol: just open just up Wireshark and type on the Display Filter toolbar “dhcp.” : it is automatically displayed a dropdown menu where all the DHCP display filters are shown:
Alternatively just click on the “Expression” button on the right of the Display Filter toolbar, as displayed in the figure below:
And a popup window will appear: just scroll down until the list of DHCP filter is present and unpack the tree view in order to enable the view of all the filters; then it is possible to manually create the more appropriate display filter:
Repeat the previous step capturing the DHCP process either with a capture filter (using port 67/68) or with a display filter, and try to find the differences between the two approaches.