This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am new to using Wireshark, and I see source computer IP address (removed actual ip address) that has destination as 255.255.255.255 I see this many times with this same computer in the Wireshark output when I use the bootp filter. What is going on with this computer? Is it malfunctioning? I am using bootp as a filter.

Thanks in advance for any help with this. Here is the output for one of the lines:

Frame 1070: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface 0
    Interface id: 0 (\Device\NPF_{61CD5C01-EBFC-46A1-B953-C3286E5CD4A7})
    Encapsulation type: Ethernet (1)
    Arrival Time: Dec 30, 2015 15:16:06.823921000 US Mountain Standard Time
    [Time shift for this packet: 0.000000000 seconds]
    Epoch Time: 1451513766.823921000 seconds
    [Time delta from previous captured frame: 0.000760000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 7.488743000 seconds]
    Frame Number: 1070
    Frame Length: 342 bytes (2736 bits)
    Capture Length: 342 bytes (2736 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ethertype:ip:udp:bootp]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: Dell_f1:1c:42 (20:47:47:f1:1c:42), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Source: Dell_f1:1c:42 (20:47:47:f1:1c:42)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: IP Address, Dst: 255.255.255.255
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    Total Length: 328
    Identification: 0x7a24 (31268)
    Flags: 0x00
    Fragment offset: 0
    Time to live: 128
    Protocol: UDP (17)
    Header checksum: 0xb414 [validation disabled]
    Source: IP Address
    Destination: 255.255.255.255
    [Source GeoIP: Unknown]
    [Destination GeoIP: Unknown]
User Datagram Protocol, Src Port: 68 (68), Dst Port: 67 (67)
    Source Port: 68
    Destination Port: 67
    Length: 308
    Checksum: 0x6847 [validation disabled]
    [Stream index: 67]
Bootstrap Protocol (Inform)
    Message type: Boot Request (1)
    Hardware type: Ethernet (0x01)
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0xbe7f61ba
    Seconds elapsed: 0
    Bootp flags: 0x8000, Broadcast flag (Broadcast)
    Client IP address: IP Address
    Your (client) IP address: 0.0.0.0
    Next server IP address: 0.0.0.0
    Relay agent IP address: 0.0.0.0
    Client MAC address: Dell_f1:1c:42 (20:47:47:f1:1c:42)
    Client hardware address padding: 00000000000000000000
    Server host name not given
    Boot file name not given
    Magic cookie: DHCP
    Option: (53) DHCP Message Type (Inform)
    Option: (61) Client identifier
    Option: (12) Host Name

asked 31 Dec '15, 08:03

techygal's gravatar image

techygal
6112
accept rate: 0%

edited 31 Dec '15, 08:18

grahamb's gravatar image

grahamb ♦
19.8k330206


The IPv4 address 255.255.255.255 is the broadcast address for the zero network which by convention is the local network. See also here.

DHCP makes use of broadcast addresses in some phases of the protocol, see RFC 2131 for more info.

permanent link

answered 31 Dec '15, 08:49

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 31 Dec '15, 09:06

It is only one computer that I see doing this.

(31 Dec '15, 14:28) techygal

Wireshark tells you what happens; you have to find out yourself why it happens.

As @grahamb wrote, look at the complete DHCP working principle. E.g. the discovery message is sent to a broadcast IP (255.255.255.255) normally and on purpose, i.e. use of broadcast IP as destination is not wrong as such.

There are many reasons why the computer may send DHCP messages to broadcast IP repeatedly - e.g., your DHCP server may ignore it. To learn more, i.e. to identify the reason and eventually the guilty equipment/configuration, you have to capture at the DHCP server (or the switch port it is connected to) and at that computer (or the switch port it is connected to) and see what happens and at which stage things go wrong.

I'd guess that in your case, the DHCP server ignores the DHCPinform message because there is no source IP in it, so you have to find out why it is missing. Or maybe there is simply no DHCP server in your network and the network adaptor of the computer in question is configured to obtain IP address dynamically? Maybe because you have configured one network adaptor with static IP and connected another adaptor to the network by mistake?

Without description of the network topology and the capture of the DHCP traffic at the computer in question, you cannot expect more than guesses from the community.

(01 Jan '16, 04:24) sindy
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×44

question asked: 31 Dec '15, 08:03

question was seen: 2,223 times

last updated: 01 Jan '16, 04:24

p​o​w​e​r​e​d by O​S​Q​A