TCP Dump DHCP Details Missing

[ds5686920]

Hi, I did an hour tcpdump for Firewalla since I am having problems with a Honeywell/Resideo Redlink Gateway (RG) freezing when using Firewalla Gold DHCP Server. So I attached the RG to a RT-AC68U, where the RG runs fine, running Merlin and installed tcpdump application. I ran the tcpdump for 1 hour rebooting the RG twice so many details on DHCP records should be recorded. I sent the tcpdump log to Firewalla but the tech support said he didn't see full DHCP details he needs to troubleshoot further. Shouldn't the Merlin tcpdump show the full details? Thx

 

[ColinTaylor]

You probably have to disable hardware acceleration on the RT-AC68U otherwise tcpdump won't be able to see all the packets. On the other hand that should only effect LAN to WAN traffic, so shouldn't stop you seeing traffic destined for the RT-AC68U's DHCP server. What was the tcpdump command you were using?

P.S. There was a long and painful discussion about a Redlink Gateway here. Maybe some of that thread is relevant to your problem.

 

[ds5686920]

Poked around but don't see how to disable HW Acceleration. Please do tell. Thx

 

[ColinTaylor]

It may already be disabled automatically. Check it's status at Tools - System Information > HW acceleration. You can disable it at LAN - Switch Control.

 

[ds5686920]

It was enabled per the hardware report screen. Just disabled and will re-run tcpdump. Thank you!

 

[ds5686920]

The tcpdump done after disabling HW Acceleration doesn't have any 'DHCP' records. Why would this be? I rebooted Redlink Gateway three times during the dump.

 

[ColinTaylor]

Show us the tcpdump command you're using.

How is the Redlink Gateway connected to the router?

 

[ds5686920]

Not sure what happened but re-running the tcpdump is now showing DHCP records; I did toggle the HW Acc again. The RG is connected by ethernet cable; it has no wifi. This is the command

tcpdump -i br0 -en 'ether src 48:a2:e6:7b:ad:45 || ether dst 48:a2:e6:7b:ad:45'

Shouldn't I see DISCOVERY, OFFER, REQUEST records?

 

[ColinTaylor]

Not sure what happened but re-running the tcpdump is now showing DHCP records; I did toggle the HW Acc again. The RG is connected by ethernet cable; it has no wifi. This is the command

tcpdump -i br0 -en 'ether src 48:a2:e6:7b:ad:45 || ether dst 48:a2:e6:7b:ad:45'

Shouldn't I see DISCOVERY, OFFER, REQUEST records?

I've just run the same command (adjusting the MAC address) on my RT-AX86U and the DORA entries were there. I've done similar things many times in the past on my old RT-AC68U and never had any problems.

16:31:37.219142 ec:1f:72:f8:4a:21 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 340: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:1f:72:f8:4a:21, length 298
16:31:37.219639 f0:2f:74:92:37:d8 > ec:1f:72:f8:4a:21, ethertype IPv4 (0x0800), length 344: 192.168.1.1.67 > 192.168.1.186.68: BOOTP/DHCP, Reply, length 302
16:31:37.252158 ec:1f:72:f8:4a:21 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 352: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:1f:72:f8:4a:21, length 310
16:31:37.305246 f0:2f:74:92:37:d8 > ec:1f:72:f8:4a:21, ethertype IPv4 (0x0800), length 344: 192.168.1.1.67 > 192.168.1.186.68: BOOTP/DHCP, Reply, length 302

Obviously you have to write the output directly to a file to capture the complete records and be able to distinguish discover from request, etc.

 

[ds5686920]

Ah! Will do that. Thanks!

 

[ColinTaylor]

Ah! Will do that. Thanks!

P.S. I suggest you also use the -s0 -U parameters so that the data is written to the file immediately rather then being buffered.

 

[ds5686920]

I did 'tcpdump -I -s0 -U br0 -en 'ether src 48:a2:e6:7b:ad:45 || ether dst 48:a2:e6:7b:ad:45' > rt_ac68u_tcp_dump_20220911'

and got

tcpdump: -s0: No such device exists

(SIOCGIFHWADDR: No such device)

 

[ColinTaylor]

Syntax error. Try:

tcpdump -i br0 'ether src 48:a2:e6:7b:ad:45 || ether dst 48:a2:e6:7b:ad:45' -s0 -U -w rt_ac68u_tcp_dump_20220911

 

[ColinTaylor]

No that's completely wrong. You have changed the command from what I said it should be. You're just using your original command with "I" changed to "i". That's still syntactically incorrect.

 

[ds5686920]

Yes, I made a mistake that is why I deleted the post. Proper command is currently running OK. Thx!

 

[ds5686920]

To end file output, just want to make sure I should use Control + C. Or should I use another qualifier? Thx

 

[ColinTaylor]

Control + C is correct.

 

[ds5686920]

Wrote to disk OK Ejected USB then copied from USB file to MacOS using Paragon FS software. Gibberish in TextEdit. Does file write use a particular encoding?

Sample from file:
‘√≤°æcÉ$>>‘ƒ7’H¢Ê{≠EE0M@Ä]¿®û«>Tô÷ƪ˛_ípÓ≤®∆æcT≥::H¢Ê{≠E‘ƒ7’E,X)@ÔUÑ«>Tô¿®ûª÷Æ™ˇ!Ö˛_ì` ‹¥æcm¥<<‘ƒ7’H¢Ê{≠EE(N@Äd¿®û«>Tô÷ƪ˛_ì™ˇ!ÜPÓ
Êæcû∑jj‘ƒ7’H¢Ê{≠EE\O@Ä/¿®û«>Tô÷ƪ˛_ì™ˇ!ÜPÓ5ÇCBKPPRPB&H¢Ê{≠EåS˝D˚“‘€_µ$Rl`‚#´r‘ñÓ«úΩÂ1u«æc:[66H¢Ê{≠E‘ƒ7’E(X*@ÔUá«>Tô¿®ûª÷Æ™ˇ!ܲ_«P˙Øæch[jjH¢Ê{≠E‘ƒ7’E\X+@ÔUR«>Tô¿®ûª÷Æ™ˇ!ܲ_«P˙πûCBKPPRPB&H¢Ê{≠E©Q*∂Ç1ˡR¯Q63ÇøU0*-6Ö™qgÚĶDæcÑ[66H¢Ê{≠E‘ƒ7’E(X,@ÔUÖ«>Tô¿®ûª÷Æ™ˇ!∫˛_«P˙zæcï]<<‘ƒ7’H¢Ê{≠EE(P@Äb¿®û«>Tô÷ƪ˛_«™ˇ!ªPÓ
}æcï`<<‘ƒ7’H¢Ê{≠EE(Q@Äa¿®û«>Tô÷ƪ˛_«™ˇ!ªPÓ
|æcP˚66H¢Ê{≠E‘ƒ7’E(X-@ÔUÑ«>Tô¿®ûª÷Æ™ˇ!ª˛_»P˙y√c#>>‘ƒ7’H¢Ê{≠EE0R@ÄZ¿®û«>TóŒª}œ
pÓ:f∆√c8≥::H¢Ê{≠E‘ƒ7’E, Ç@Ô§-«>Tó¿®ûªŒt˛ÖÁ}œ` 5s¥√cP¥<<‘ƒ7’H¢Ê{≠EE(S@Äa¿®û«>TóŒª}œt˛ÖËPÓgB√c∑jj‘ƒ7’H¢Ê{≠EE\T@Ä,¿®û«>TóŒª}œt˛ÖËPÓå«CBKPPRPB&H¢Ê{≠E«·≤Öú ®)˙&ø)ÃaY˘Ç®ÌÔ+ñ˚2√c¿**H¢Ê{≠E‘ƒ7’‘ƒ7’¿®¿®û√c¡<<‘ƒ7’H¢Ê{≠EH¢Ê{≠E¿®û‘ƒ7’¿®√c[SjjH¢Ê{≠E‘ƒ7’E\ É@Ô£¸«>Tó¿®ûªŒt˛ÖË}œBP˙p+CBKPPRPB&H¢Ê{≠E5¬∆oÿ;“è.l√∑p]wjWV^‹Ëó≥IÓv éÅb√c:W66H¢Ê{≠E‘ƒ7’E( Ñ@Ô§/«>Tó¿®ûªŒt˛Ü}œBP˙q÷√cXW<<‘ƒ7’H¢Ê{≠EE(U@Ä_¿®û«>TóŒª}œBt˛ÜPÓfŸ√cRX<<‘ƒ7’H¢Ê{≠EE(V@Ä^¿®û«>TóŒª}œCt˛ÜPÓfÿ√cŒÁ66H¢Ê{≠E‘ƒ7’E( Ö@Ô§.«>Tó¿®ûªŒt˛Ü}œCP˙q’∆cc±>>‘ƒ7’H¢Ê{≠EE0W@ÄT¿®û«>TòÓ∞ª˛~ÆFpÓ‘∆∆cÕE::H¢Ê{≠E‘ƒ7’E,d@Ô©J«>Tò¿®ûªÓ∞Çò‹2˛~ÆG` ù˚¥∆cÊF<<‘ƒ7’H¢Ê{≠EE(X@Ä[¿®û«>TòÓ∞ª˛~ÆGÇò‹3PÓœ ∆c`N™™‘ƒ7’H¢Ê{≠EEúY@ÄˇÂ¿®û«>TòÓ∞ª˛~ÆGÇò‹3PÓãCBKPPRPPfˆûH¢Ê{≠Eı
yç˚U
Hw˝ù⁄7 ,ênZ´êN€ºò‘“R“¸ZA¸Ïìk˛zî∏˝?Ú©¢}º/⁄ïa≥(”™¥

 

[ColinTaylor]

The file is in the standard pcap format. Use tcpdump or Wireshark to read it.

 

[ds5686920]

Using Wireshark. Cool app. Thx!