View Single Post
  #4   (View Single Post)  
Old 20th November 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Try the following to get a more verbose output
Code:
# tcpdump -eni bge0 -s512 -vv   

tcpdump: listening on bge0, link-type EN10MB

22:01:05.378827 00:10:18:00:9f:fd ff:ff:ff:ff:ff:ff 0800 342: 0.0.0.0.68 > 255.255.255.255.67
: [udp sum ok] xid:0x4cef1e6d vend-rfc1048 HN:"hercules" RQ:192.168.222.231 DHCP:DISCOVER PR:
SM+BR+DG+DN+NS+HN [tos 0x10] (ttl 16, id 0, len 328)

22:01:05.380115 00:08:c7:05:ca:0b ff:ff:ff:ff:ff:ff 0806 60: arp who-has 192.168.222.248 tell 192.168.222.10

22:01:05.380561 00:08:c7:05:ca:0b 00:10:18:00:9f:fd 0800 342: 192.168.222.10.67 > 192.168.222
.248.68: [udp sum ok] xid:0x4cef1e6d Y:192.168.222.248 S:192.168.222.10 vend-rfc1048 DHCP:OFF
ER SID:192.168.222.10 LT:43200 SM:255.255.255.0 DG:192.168.222.10 DN:"utp.net" NS:192.168.222
.10 [tos 0x10] (ttl 16, id 0, len 328)

22:01:07.395831 00:10:18:00:9f:fd ff:ff:ff:ff:ff:ff 0800 342: 0.0.0.0.68 > 255.255.255.255.67
: [udp sum ok] xid:0x4cef1e6d vend-rfc1048 HN:"hercules" RQ:192.168.222.248 DHCP:REQUEST SID:
192.168.222.10 PR:SM+BR+DG+DN+NS+HN [tos 0x10] (ttl 16, id 0, len 328)

22:01:07.455589 00:08:c7:05:ca:0b 00:10:18:00:9f:fd 0800 342: 192.168.222.10.67 > 192.168.222
.248.68: [udp sum ok] xid:0x4cef1e6d Y:192.168.222.248 S:192.168.222.10 vend-rfc1048 DHCP:ACK
 SID:192.168.222.10 LT:43200 SM:255.255.255.0 DG:192.168.222.10 DN:"utp.net" NS:192.168.222.1
0 [tos 0x10] (ttl 16, id 0, len 328)

22:01:07.465087 00:10:18:00:9f:fd ff:ff:ff:ff:ff:ff 0806 42: arp who-has 192.168.222.248 tell 192.168.222.248

22:01:07.465237 00:08:c7:05:ca:0b 00:10:18:00:9f:fd 0800 62: 192.168.222.10 > 192.168.222.248
: icmp: echo request (id:a656 seq:0) (ttl 255, id 53252, len 48)

22:01:07.465270 00:10:18:00:9f:fd ff:ff:ff:ff:ff:ff 0806 42: arp who-has 192.168.222.10 tell 192.168.222.248

22:01:07.465380 00:08:c7:05:ca:0b 00:10:18:00:9f:fd 0806 60: arp reply 192.168.222.10 is-at 00:08:c7:05:ca:0b

22:01:07.465395 00:10:18:00:9f:fd 00:08:c7:05:ca:0b 0800 62: 192.168.222.248 > 192.168.222.10
: icmp: echo reply (id:a656 seq:0) (ttl 255, id 53475, len 48)
See http://en.wikipedia.org/wiki/Dynamic...ation_Protocol for more info.

Notice the ARP requests issued by the server (192.168.222.10) as well as the client (192.168.222.248). And the ICMP ping issued by the server.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote