THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question

Revision history  [back]

Revision 1
Spooky's avatar
191
Spooky
answered 2019-08-02 02:51:20 +0000

Hi Garry,

I'll make this the answer to this post based on your last comments so it can help others as well.

First x.x.4.251 was probably not expecting DHCP traffic from your clients. It's likely the configuration of the server, including pools of addresses, was not adequate to answer DHCP Request. It is then expected for that server to send NAK to clients who request addresses that the server cannot handle. So the DHCPNAK are not unexpected but the x.x.4.251 server could be defined as a rogue DHCP server.

Nonetheless you can filter DHCP messages with a filter.

It's a good idea to check RFC 2132 for details on the message types.

9.6. DHCP Message Type

   This option is used to convey the type of the DHCP message.  The code
   for this option is 53, and its length is 1.  Legal values for this
   option are:

           Value   Message Type
           -----   ------------
             1     DHCPDISCOVER
             2     DHCPOFFER
             3     DHCPREQUEST
             4     DHCPDECLINE
             5     DHCPACK
             6     DHCPNAK
             7     DHCPRELEASE
             8     DHCPINFORM

Use bootp.option.dhcp == 6 to display DHCPNAK.

You can also start using dhcp.option.dhcp == 6 in the latest versions (3.x) of Wireshark.

Hope this helps.

Cheers,

JFD