I've been having intermittent issues on my home network over the past few weeks whereby IP addresses aren't being handed out to devices via DHCP. As a result I've been trying to troubleshoot the issue today using Wireshark by filtering for bootp packets. I'm using wireshark on a MacBook Pro (late 2013) with a wired network connection, and have enabled promiscuous mode on the interface. The problem is that I'm not seeing the full DHCP handshake in the packet capture. I see DHCP Discover and DHCP Request, but not the Offer or ACK when monitoring other devices requesting IPs on the network (such as an Apple iPhone for example). The main issue is I'm seeing a load of NAK responses from my DHCP router, probably related to a DHCP conflict somewhere. I can see the Discover request, and somewhere an Offer is being made because I see the returning Request with an IP, but I just can't see that Offer packet in Wireshark. Could it be that my MacBook isn't fully capable of monitoring all traffic? I guess that the Offer packet is being sent directly back to the device in question and isn't being broadcast out to all devices. However, can I or should I be able to see those packets in promiscuous mode? Is it just not possible to see packets between two remote devices using my MacBook? If that is the case, how can I monitor packets between two remote devices? Thanks in advance! asked 21 Nov '15, 06:33  jarrah |
One Answer:
Right.
No, because promiscuous mode just means that the interface will let packets whose destination address is not its own get far enough to be seen by Wireshark, if they "physically" arrive to it. But the DHCP ACK for another device does not ever get to your Mac's Ethernet interface.
It depends on the type of interface.
answered 21 Nov '15, 06:52  sindy edited 21 Nov '15, 06:56 showing 5 of 8 show 3 more comments |
Ahh ok thanks, I'll try monitoring packets via wifi on my MacBook then to see if that helps.
Also thank you for the useful explanation, much appreciated!
hmm, looks like my wifi interface doesn't capture all packets as it also can't see the Offer and ACK packets.
Looks like I need to see if there's any cheap switches for home use with port mirroring...
I think you should check the settings described here. Having no Mac, I cannot test myself. In brief, look for "monitor mode" checkbox in the Capture Options settings.
Thank you for the tip, I was able to see that Monitor Mode was disabled on my wifi adaptor. Unfortunately though, enabling it resulted in the same error as described here: https://ask.wireshark.org/questions/47125/cant-turn-on-monitor-mode-on-macbook-pro-with-wireshark-1999 I'm using v2.0.0, but before I troubleshoot further I'll try a reboot and will open a new thread if it still occurs.
Well, a reboot let me at least start capturing with Monitor Mode enabled, but it doesn't seem to capture data in the same way. For example there's no IPs in Source and Destination, just MAC addresses. Also it doesn't capture any bootp packets, so I'm probably not using it right.
No worries though, I'll look into it, and failing that I've ordered a cheap 8-port managed switch with port mirroring to do the job: http://www.amazon.co.uk/gp/product/B00K4DS5KU
Thanks for your help!!
Just bear in mind that the switch can only help you debug the DHCP behaviour if you have another DHCP client device which has an Ethernet port. A switch (or hub, or tap) can only monitor traffic which passes through its ports, which is not the case of the DHCP Offer etc. sent to devices connected over WiFi, because even if the WiFi and Ethernet interfaces of your home router have a common IP address, internally the traffic is switched between them, i.e. unicast packets are only sent to the direct path to the destination, not to all physical interfaces.
But the WiFi monitoring showing nothing but MAC frames is weird, haven't you incidentally limited capture size of the frames? Can you start capture in monitoring mode and then switch off and on your iPhone to be sure that the initial DHCP Discovery etc. takes place, and then post the capture and give a link here? At least the subject of the question would become more relevant to the contents ;-)
Heh, one important point is wireless encryption :-) No wonder you cannot see IP addresses if you've kept your WPA on.
Or read this and don't post anything.
ahh good point!
Yeah I'll use the switch to monitor my wired devices as they're suffering the DHCP problem as well. I'll get to the bottom of this issue one way or another. :)
Thanks for all your help!