Earlier while troubleshooting a possible issue with VMWare Player on Ubuntu Linux I needed to sniff broadcast traffic. The goal was to see if there were multiple MAC addresses sending out broadcast traffic after VMWare Player was installed on Ubuntu even without a VM actually running. Below is a quick example of how to sniff Ethernet broadcast and multicast traffic using tcpdump.
The below example is actually from a server running pfSense however it works exactly the same on Linux.
Use tcpdump To Display Broadcast Packets:
- [2.0-RC1][root@pfsense-firewall]/root(10): tcpdump -i em1 ether broadcast and ether multicast
- tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
- listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes
- 00:45:01.065625 ARP, Request who-has pfsense-firewall (00:c0:b7:77:d4:0e (oui Unknown)) tell 192.168.1.12, length 46
- 00:46:33.198633 ARP, Request who-has pfsense-firewall (00:c0:b7:a3:14:aa (oui Unknown)) tell 192.168.1.11, length 46
- 00:47:59.797136 ARP, Request who-has pfsense-firewall (00:c0:b7:32:4d:11 (oui Unknown)) tell 192.168.1.13, length 46
- 00:49:19.232436 ARP, Request who-has 192.168.1.210 tell 192.168.1.106, length 46
- 00:49:20.449250 ARP, Request who-has pfsense-firewall tell 192.168.1.210, length 46
- 00:49:20.462993 88:53:95:86:06:b4 (oui Unknown) > Broadcast Null Unnumbered, xid, Flags [Response], length 46: 01 00
- 00:49:29.050518 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 88:53:95:86:06:b4 (oui Unknown), length 300
- 00:49:31.070005 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 88:53:95:86:06:b4 (oui Unknown), length 300
- 00:49:31.083996 ARP, Request who-has 192.168.1.130 tell 0.0.0.0, length 46
- 00:49:31.091867 ARP, Request who-has pfsense-firewall (00:c0:b7:77:d4:0e (oui Unknown)) tell 192.168.1.12, length 46
- 00:49:31.429427 ARP, Request who-has 192.168.1.130 tell 0.0.0.0, length 46
- 00:49:31.750620 ARP, Request who-has 192.168.1.130 tell 0.0.0.0, length 46
- 00:49:32.073439 ARP, Request who-has 192.168.1.130 tell 192.168.1.130, length 46
- 00:49:32.396258 ARP, Request who-has 192.168.1.130 tell 192.168.1.130, length 46
- 00:49:32.720947 ARP, Request who-has 192.168.1.130 tell 192.168.1.130, length 46
- 00:49:32.726194 ARP, Request who-has pfsense-firewall tell 192.168.1.130, length 46
- 00:49:32.727943 ARP, Request who-has 169.254.255.255 tell 192.168.1.130, length 46
- 00:49:32.966933 ARP, Request who-has pfsense-firewall tell 192.168.1.130, length 46
- 00:49:33.109353 ARP, Request who-has 169.254.255.255 tell 192.168.1.130, length 46
- 00:49:33.438294 ARP, Request who-has 169.254.255.255 tell 192.168.1.130, length 46
- 00:49:33.721507 ARP, Request who-has 169.254.255.255 tell 192.168.1.130, length 46
- 00:49:34.017841 ARP, Request who-has 169.254.255.255 tell 192.168.1.130, length 46
- ^C
- 22 packets captured
- 133692 packets received by filter
- 0 packets dropped by kernel
- [2.0-RC1][root@pfsense-firewall]/root(11):
The “ether broadcast” capture can assist in troubleshooting DHCP and/or BOOTP issues you may encounter. Depending on how much traffic there is on the network you may want to possibly use more filters such as host, ip, etc.
While this isn’t all that important, I just wish to point out that your tcpdump filter could be shortened to
‘broadcast and multicast’ as they both get compiled to the same BPF.
e.g.
# tcpdump -dd broadcast and multicast > short.txt
# tcpdump -dd ether broadcast and ether multicast > long.txt
# diff short.txt long.txt
Useful post though, Thanks.
Hello Jon,
Good deal. I wasn’t aware you could shorten them in that manner. Thanks for taking the time to post info and for teaching me something. :)
Thanks.
alex