I've been having intermittent issues on my home network over the past few weeks whereby IP addresses aren't being handed out to devices via DHCP. As a result I've been trying to troubleshoot the issue today using Wireshark by filtering for bootp packets.
I'm using wireshark on a MacBook Pro (late 2013) with a wired network connection, and have enabled promiscuous mode on the interface.
The problem is that I'm not seeing the full DHCP handshake in the packet capture. I see DHCP Discover and DHCP Request, but not the Offer or ACK when monitoring other devices requesting IPs on the network (such as an Apple iPhone for example).
The main issue is I'm seeing a load of NAK responses from my DHCP router, probably related to a DHCP conflict somewhere. I can see the Discover request, and somewhere an Offer is being made because I see the returning Request with an IP, but I just can't see that Offer packet in Wireshark.
Could it be that my MacBook isn't fully capable of monitoring all traffic? I guess that the Offer packet is being sent directly back to the device in question and isn't being broadcast out to all devices. However, can I or should I be able to see those packets in promiscuous mode? Is it just not possible to see packets between two remote devices using my MacBook?
If that is the case, how can I monitor packets between two remote devices?
Thanks in advance!
asked 21 Nov '15, 06:33
No, because promiscuous mode just means that the interface will let packets whose destination address is not its own get far enough to be seen by Wireshark, if they "physically" arrive to it. But the DHCP ACK for another device does not ever get to your Mac's Ethernet interface.
It depends on the type of interface.
answered 21 Nov '15, 06:52
edited 21 Nov '15, 06:56