Using packet capture to view DHCP discover , offer , request and ACK packet

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Using packet capture to view DHCP discover , offer , request and ACK packet

L4 Transporter

how can we view DHCP discover , offer , request and ACK packet 

 

Thanks in advance,

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 |
4 REPLIES 4

Cyber Elite
Cyber Elite

You can see all if dhcp server and client are in diferent subnets so those packets pass Palo or if Palo itself is dhcp server.

If server and client are in same subnet then discover is broadcast but from then on server sends response directly to client and devices standing by don't see this (unless you use mirror port is switch).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

thanks but I am looking for specific command we can run on palo alto to view DORA exchange.

 

for example using tcpdump -i <interface> port 67 we get that information.

SD-WAN | Cloud Networking | PCNSE | ICSI CNSS | MCNA | | CCNP | CCSA | SPSP | SPSX | F5-101 |

You can setup a specific security rule to just look for the DHCP application. This way the traffic will display in the Traffic logs. Also if I remember my DHCP correctly, the client send the request to the DHCP server over port 67 but then the server replies over port 68.

 

Regards,

Hi,

 

You won't see the specific packets in the traffic logs, but if it's for diagnostic purpose, you can start a capture from the GUI and specify the DHCP ports as the filter. You will be able to download the resulting capture and analyze it in Wireshark.

 

Benjamin

  • 6361 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!