DHCP process discrapiencies

wavebenderwavebender Posts: 6Member ■□□□□□□□□□

I'm working towards my CCENT which I'm planning to pass in two weeks. While studying I like to proof test theories described in books I'm reading. There is actually only one book which I use and it's from Wendell Odom. I also support my studies with INE.

I don't really have any problems with grasping the concept of the DHCP servers deployed locally or centralized DHCP servers that communicate over DHCP relay. My issue is when it comes to testing the theory. Wendell's book and what I found on Cisco website describe process of assigning IP addresses as follows:

1. DHCP client sends DHCP Discover broadcast to with source of and Client ID which is based on the MAC address.
2. DHCP server sends an DHCP Offer in form of broadcast to This message contains Client ID and IP address settings which are offered by the DHCP server (gw, subnet, dns, domain, tftp... etc.)
3. DHCP client sends a DHCP Request broadcast message to asking DHCP server to lease offered IP settings.
4. DHCP server sends a DHCP Ack broadcast to telling DHCP client that it can keep the IP settings provided via DHCP Offer message.

In short process goes as Discover -> Offer -> Request -> Ack.

This is where my issues with understanding the subject started.

I have 1921 with 2 x giga ports. I setup DHCP server, assigned some settings to the pool and assigned IP address to int g0/1 which is directly connected to my laptop running Wireshark. Laptop is running Win 10. When laptop's NIC get's UP it doesn't send DHCP Discover messages it just gets DHCP Offer and then receives DHCP Ack from the server. Both are from which happens to be int g0/1's IP address.

Question 1. Why I can't see DHCP Discover or DHCP Request messages? Is it possible that I setup my Wireshark incorrectly?

Opposite happens with another laptop (Win 10 - same ver) connected directly to my home non-Cisco router which came from local ISP I run another Wireshark test. Now I can see DHCP Discover and DHCP Request messages both send to from and Client ID but I can't see DHCP Offer or DHCP Ack which should be send from DHCP server.

Question 2. Why I can't see DHCP Offer and/or DHCP Ack when connected to non-Cisco router? Is it possible that I setup my Wireshark incorrectly?

Lastly I run [FONT=&quot]debug ip dhcp event[/FONT] and [FONT=&quot]debug ip dhcp[/FONT] [FONT=&quot]packet [/FONT]on my 1921 and I can see that everything that is described in my book actually does happen. I can see:

*Dec 28 10:36:39.299: DHCPD: DHCPDISCOVER received from client 0100.e100.0043.f7 on interface GigabitEthernet0/1.
*Dec 28 10:36:39.299: DHCPD: Seeing if there is an internally specified pool class:
*Dec 28 10:36:39.299: DHCPD: htype 1 chaddr 00e1.0000.43f7
*Dec 28 10:36:39.299: DHCPD: remote id 020a0000c0a8020101000000
*Dec 28 10:36:39.299: DHCPD: circuit id 00000000
*Dec 28 10:36:39.299: DHCPD: Sending DHCPOFFER to client 0100.e100.0043.f7 (
*Dec 28 10:36:39.299: DHCPD: no option 125
*Dec 28 10:36:39.299: DHCPD: creating ARP entry (, 00e1.0000.43f7, vrf default).
*Dec 28 10:36:39.299: DHCPD: unicasting BOOTREPLY to client 00e1.0000.43f7 (
*Dec 28 10:36:39.303: DHCPD: client's VPN is .
*Dec 28 10:36:39.303: DHCPD: No option 125
*Dec 28 10:36:39.303: DHCPD: DHCPREQUEST received from client 0100.e100.0043.f7.
*Dec 28 10:36:39.303: DHCPD: Sending notification of ASSIGNMENT:
*Dec 28 10:36:39.303: DHCPD: address mask
*Dec 28 10:36:39.303: DHCPD: htype 1 chaddr 00e1.0000.43f7
*Dec 28 10:36:39.303: DHCPD: lease time remaining (secs) = 3600
*Dec 28 10:36:39.303: DHCPD: Appending default domain from pool
*Dec 28 10:36:39.303: DHCPD: Using hostname 'DESKTOP-K394SA8.wavelabs.' for dynamic update (from FQDN option)
*Dec 28 10:36:39.303: DHCPD: Sending DHCPACK to client 0100.e100.0043.f7 (

Could you please let me know why I can't see that on Wireshark?

Thanks in advance,



  • Params7Params7 Posts: 254Member
    Seems to be a known issue with Wireshark on laptops if you search google. I'm guessing if you span the port going to your laptop out to a switchport and connect wireshark to it you will see all DORA packets (in case you don't know setting up span sessions: Catalyst 2940 Switch Software Configuration Guide, 12.1(19)EA1 - Configuring SPAN [Cisco Catalyst 2940 Series Switches] - Cisco )
  • wavebenderwavebender Posts: 6Member ■□□□□□□□□□
    I'm not sure I need to use SPAN. I run Wireshark on device that is initializing DHCP handshake hence I should be able to see DHCP messages that are directed to my MAC. There is direct link between laptop and int g0/1 on my router. Correct me if I'm wrong but DHCP Offer and DHCP Ack should have source IP address set to the IP address of the DHCP server, and directed to but because they use Client ID only host that sent DHCP Discovery message should be able to "see" this packet as it contains its Client ID that is based on host's MAC address.

    I Googled the issue, and if I understand it correctly issue could happen if I would try to listen to DHCP handshake between other devices, and DHCP server in a subnet, and then I would need SPAN to do so.

    I have a feeling that you might be right, so I'm going to test your theory about possible issues with my NICs. I just deployed couple Cisco CSR1000v on my server alongside Ubuntu with Wireshark. Maybe I will be able to see full DHCP handshake in VM environment.

    Will report back soon.
  • wavebenderwavebender Posts: 6Member ■□□□□□□□□□
    Ubuntu deployed on same XenServer machine as my routers is able to "sniff" all packets that I was looking for. I still don't understand why my laptops are unable to do so. However, my main concern was inability to test DHCP handshake. That has been resolved.

    Thanks for help.
Sign In or Register to comment.