Capture full DHCP or DHCPv6 sequence

JKnott

When solving DHCP problems a packet capture of the full DHCP sequence can be useful. A packet capture of UDP port 67 or 68 on IPv4 or 546 or 547 on IPv6 during boot up will capture the full sequence. There are two ways to accomplish the capture.

Use a data tap inserted between pfSense and the modem, connected to a computer running Wireshark, during boot up
Use the pfSense Packet Capture

To use Packet Capture

shut down pfSense and disconnect the WAN cable
Reboot pfSense and start Packet Capture
Connect the WAN cable and let Packet Capture run for a couple of minutes.

johnpoz

@jknott said in Capture full DHCP or DHCPv6 sequence:

Use a data tap inserted between pfSense and the modem

While this is valid way to do it if you don't already have the ability.. If you happen to have managed switch already that most users I would think do.. Just run the connection through your already existing switch. If you have the spare ports.. Now you have a perm tap no need to ever move anything around.

Then you can span a port and sniff if so desired. If you set this up now, you have it whenever you might need it.

Just because you use your switch to handle your lan side, doesn't mean you can't leverage it for your wan side traffic as well. Just create a new vlan on the switch for the ports, untagged - I use vlan 99 on my switch.

JKnott

@johnpoz

I carry my 5 port switch in my computer bag where it's handy for use as a data tap or just a plain switch. Also, when you're at someone else's site, you can't assume you can use their switch for this.

BTW, I don't have any spare ports on my Cisco 8 port switch for the WAN side.

johnpoz

@jknott Not disagreeing with ;)

Just saying for your own setup, leveraging your own existing switches can act as the tap..

If what you want is just a tiny tap you can take with you.. The unifi flex mini is super small, 5 ports. And you can power it of usb batter bank.. Now you will have to setup the ports to be mirrored before. But need a tiny little tap for your bag, that you can power of your off your little battery pack, or more than likely right off your laptop usb port..

Runs like $30...

JKnott

@johnpoz said in Capture full DHCP or DHCPv6 sequence:

The unifi flex mini

Other than USB power, that switch gets me nothing I don't already have.

johnpoz

@jknott its TINY!!! guarantee is smaller than whatever 5 port switch you have in your bag now..

Didn't say you had to get rid of yours and use this.. I am pointing out for others reading your thread about using a switch as a tap...