DHCP logs tell a clean, simple story: who asked for an address, when they asked, what they got, and why they maybe didn’t get one. You can immediately see failed requests, exhausted scopes, duplicate MAC addresses, or clients that just won’t stop asking nicely. Instead of squinting at hex values and scrolling past ARP chatter, you get human-readable entries that point straight to the problem. It’s the difference between reading a police report and watching every security camera in the city at once.
Another big win is time and storage. Packet captures grow fast and get unwieldy even faster. You capture too little and miss the issue, or capture too much and now you’re archiving a multi-gigabyte file named “dhcp_final_FINAL_v3.pcapng.” DHCP logs, on the other hand, are lightweight and continuous. You can leave them on without worrying about disk space or explaining to management why the firewall suddenly needs more storage than the file server.
That’s not to say packet captures are useless—sometimes you really do need the chainsaw. But for day-to-day DHCP troubleshooting, logs are faster, clearer, and far less likely to make you question your career choices at 2 a.m. Enable DHCP logging first, solve the problem in minutes, and save packet captures for when things get truly weird. Your future self, staring at fewer packets and drinking better coffee, will appreciate it.
here is an example of enabling DHCP
logging on a Ubqiuiti Edgrouter that is acting as a DHCP server.
configure
set service dhcp-server global-parameters 'log-facility local2;'
set system syslog file dhcpd facility local2 level debug
set system syslog file dhcpd archive files 5
set system syslog file dhcpd archive size 5000
commit; save
exit
After applying the changes, you can view the DHCP log with:
show log file dhcpd
Here is some sample output - before you freak out, do your dhcp homework
@Georgetown:~$ show log file dhcpd
Dec 11 09:57:58 Georgetown dhcpd3: uid lease 10.44.10.173 for client e8:ca:c8:57:fb:4c is duplicate on 10.44.10.0
Dec 11 09:57:58 Georgetown dhcpd3: DHCPDISCOVER from e8:ca:c8:57:fb:4c via eth2
Dec 11 09:57:58 Georgetown dhcpd3: DHCPOFFER on 10.44.10.37 to e8:ca:c8:57:fb:4c via eth2
Dec 11 09:58:12 Georgetown dhcpd3: uid lease 10.44.10.173 for client 24:3f:75:dd:af:38 is duplicate on 10.44.10.0
Dec 11 09:58:12 Georgetown dhcpd3: DHCPDISCOVER from 24:3f:75:dd:af:38 via eth2
Dec 11 09:58:12 Georgetown dhcpd3: DHCPOFFER on 10.44.10.36 to 24:3f:75:dd:af:38 via eth2
Dec 11 09:58:42 Georgetown dhcpd3: DHCPDISCOVER from 3c:7a:aa:9a:c3:8f via eth2
Dec 11 09:58:43 Georgetown dhcpd3: DHCPOFFER on 10.44.10.173 to 3c:7a:aa:9a:c3:8f via eth2
Dec 11 09:58:45 Georgetown dhcpd3: DHCPDISCOVER from 84:c8:a0:d3:b8:2e via eth2
Dec 11 09:58:45 Georgetown dhcpd3: DHCPOFFER on 10.44.10.173 to 84:c8:a0:d3:b8:2e via eth2
Dec 11 10:02:59 Georgetown dhcpd3: uid lease 10.44.10.173 for client e8:ca:c8:57:fb:4c is duplicate on 10.44.10.0
Dec 11 10:02:59 Georgetown dhcpd3: DHCPDISCOVER from e8:ca:c8:57:fb:4c via eth2
Dec 11 10:02:59 Georgetown dhcpd3: DHCPOFFER on 10.44.10.37 to e8:ca:c8:57:fb:4c via eth2
Dec 11 10:03:13 Georgetown dhcpd3: uid lease 10.44.10.173 for client 24:3f:75:dd:af:38 is duplicate on 10.44.10.0
Dec 11 10:03:13 Georgetown dhcpd3: DHCPDISCOVER from 24:3f:75:dd:af:38 via eth2
Dec 11 10:03:13 Georgetown dhcpd3: DHCPOFFER on 10.44.10.36 to 24:3f:75:dd:af:38 via eth2
Dec 11 10:03:43 Georgetown dhcpd3: DHCPDISCOVER from 3c:7a:aa:9a:c3:8f via eth2
Dec 11 10:03:44 Georgetown dhcpd3: DHCPOFFER on 10.44.10.173 to 3c:7a:aa:9a:c3:8f via eth2
Dec 11 10:03:45 Georgetown dhcpd3: DHCPDISCOVER from 84:c8:a0:d3:b8:2e via eth2
Dec 11 10:03:45 Georgetown dhcpd3: DHCPOFFER on 10.44.10.173 to 84:c8:a0:d3:b8:2e via eth2
Dec 11 10:08:00 Georgetown dhcpd3: uid lease 10.44.10.173 for client e8:ca:c8:57:fb:4c is duplicate on 10.44.10.0
No comments:
Post a Comment
thanks for the message