Trying to capture DHCP packets (discover, offer, request, ack)

asked 2020-02-18 19:56:20 +0000

updated 2020-02-19 11:21:35 +0000

grahamb gravatar image

I'm having issues with IoT devices, specifically Lifx bubs.

when I first turn on the bulbs, they connect well...

then after a period of time the device are not connected to the network.

I do see in the system log file, the device is discovered, offer, and then nothing else, but the discover and offer are repeated again and again. SO the device never get connected.

So I'm trying to capture the packets with Wireshark now.

I set the screen display filter to DHCP.

I only get the Discover, and Offer request, but no ACK.

Any suggestions? I know they are there... when you first turn on the bulb.

Where is the capture being done (on the DHCP server?) and what type of network is it (WiFi, switched, ?)?

Chuckc gravatar imageChuckc ( 2020-02-18 20:07:07 +0000 )edit

All my bulbs are on 2.4 connected to one of four access points. Each access point is teathered to the main router. The desktop I’m using Wireshark on is on a switch connected to the main router.

Should I move the desktop connection to the main router?

dcalcutt gravatar imagedcalcutt ( 2020-02-18 23:50:48 +0000 )edit

answered 2020-02-19 04:47:36 +0000

Chuckc gravatar image

The destination ethernet address for DHCP can be the broadcast address (ff:ff:ff:ff:ff:ff)or a specific device MAC address. See the DHCP RFC ( for info about when unicast and broadcast addresses are valid.

A switch only sends packets out a port that are either addressed to the attached device or to the broadcast address. Any DHCP packets being sent to the bulb MAC addresses won't be sent to the desktop switch port.

Moving the desktop to the router will help but you will also need to configure that port to be a Monitor port to see all traffic. Capture configuration and when to use a Monitor port are covered here:

