3

I am getting DHCP Offer as the first packet on a DHCP traffic capture.

Why does this happen? Can it be a normal behavior?

Improve this question
2
  • DHCP Offer is the response to a DHCP Discover. Could you please explain better the problem? To me, it seems you are seeing traffic in only one direction, from server to client.
    – motobói
    Commented Aug 29, 2015 at 14:59
  • I capture this all the time with tcpdump and I can see the full DORA process. Make sure you're capturing EVERYTHING and then filtering down to just DHCP traffic.
    – madacoda
    Commented May 11, 2020 at 8:28

1 Answer 1

Reset to default
3

I am getting first DHCP packet as DHCP Offer

You are looking at inbound DCHP traffic to the client.

You will only get DHCP Offer in response to an outbound DHCP Discover from the client.

How Dynamic Host Configuration Protocol (DHCP) Works

DHCP works by leasing IP Addresses and IP information to network clients for a period of time.

For the lease to happen, the following negotiation process occurs:

enter image description here

  1. During the boot process, a client computer that is configured as a DHCP client sends out a broadcast packet called "DHCP Discovery". This Discover packet contains the client's computer name and Media Access Control (MAC) address so the DHCP servers can respond to it. Basically, the Discover packet says, "I'm looking for a DHCP server who can lease an IP Address".
  2. DHCP servers on the network respond to the broadcast with a "DHCP Offer". In essence, the "DHCP Offer" says, "I am a DHCP server and I have a lease for you". If several DHCP servers respond to the request, the client accepts the first offer that it receives.
  3. The client responds via a broadcast message called a "DHCP Request". This message basically says, "I accept your lease offer and would like an IP Address" If other DHCP servers made offers, they also see their lease offers were not accepted by the broadcast message, so they rescind their offers.
  4. The DHCP server whose offer was accepted responds with a "DHCP Acknowledgment" message, which acknowledges the lease acceptance and contains the client's IP Addresses lease as well as other IP Addressing information that you configure the server to provide. The client is now a TCP/IP client and can participate on the network.

Further reading

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .