I am new to using Wireshark, and I see source computer IP address (removed actual ip address) that has destination as 255.255.255.255 I see this many times with this same computer in the Wireshark output when I use the bootp filter. What is going on with this computer? Is it malfunctioning? I am using bootp as a filter.
Thanks in advance for any help with this. Here is the output for one of the lines:
Frame 1070: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface 0
Interface id: 0 (\Device\NPF_{61CD5C01-EBFC-46A1-B953-C3286E5CD4A7})
Encapsulation type: Ethernet (1)
Arrival Time: Dec 30, 2015 15:16:06.823921000 US Mountain Standard Time
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1451513766.823921000 seconds
[Time delta from previous captured frame: 0.000760000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 7.488743000 seconds]
Frame Number: 1070
Frame Length: 342 bytes (2736 bits)
Capture Length: 342 bytes (2736 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:udp:bootp]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Dell_f1:1c:42 (20:47:47:f1:1c:42), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Destination: Broadcast (ff:ff:ff:ff:ff:ff)
Source: Dell_f1:1c:42 (20:47:47:f1:1c:42)
Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: IP Address, Dst: 255.255.255.255
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
Total Length: 328
Identification: 0x7a24 (31268)
Flags: 0x00
Fragment offset: 0
Time to live: 128
Protocol: UDP (17)
Header checksum: 0xb414 [validation disabled]
Source: IP Address
Destination: 255.255.255.255
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 68 (68), Dst Port: 67 (67)
Source Port: 68
Destination Port: 67
Length: 308
Checksum: 0x6847 [validation disabled]
[Stream index: 67]
Bootstrap Protocol (Inform)
Message type: Boot Request (1)
Hardware type: Ethernet (0x01)
Hardware address length: 6
Hops: 0
Transaction ID: 0xbe7f61ba
Seconds elapsed: 0
Bootp flags: 0x8000, Broadcast flag (Broadcast)
Client IP address: IP Address
Your (client) IP address: 0.0.0.0
Next server IP address: 0.0.0.0
Relay agent IP address: 0.0.0.0
Client MAC address: Dell_f1:1c:42 (20:47:47:f1:1c:42)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (53) DHCP Message Type (Inform)
Option: (61) Client identifier
Option: (12) Host Name
asked 31 Dec '15, 08:03
techygal
6●1●1●2
accept rate: 0%
edited 31 Dec '15, 08:18
grahamb ♦
19.8k●3●30●206
It is only one computer that I see doing this.
Wireshark tells you what happens; you have to find out yourself why it happens.
As @grahamb wrote, look at the complete DHCP working principle. E.g. the discovery message is sent to a broadcast IP (255.255.255.255) normally and on purpose, i.e. use of broadcast IP as destination is not wrong as such.
There are many reasons why the computer may send DHCP messages to broadcast IP repeatedly - e.g., your DHCP server may ignore it. To learn more, i.e. to identify the reason and eventually the guilty equipment/configuration, you have to capture at the DHCP server (or the switch port it is connected to) and at that computer (or the switch port it is connected to) and see what happens and at which stage things go wrong.
I'd guess that in your case, the DHCP server ignores the DHCPinform message because there is no source IP in it, so you have to find out why it is missing. Or maybe there is simply no DHCP server in your network and the network adaptor of the computer in question is configured to obtain IP address dynamically? Maybe because you have configured one network adaptor with static IP and connected another adaptor to the network by mistake?
Without description of the network topology and the capture of the DHCP traffic at the computer in question, you cannot expect more than guesses from the community.