As part of my baselining series, I am covering the various topics or protocols to look for.
In this example, I have a PC bootup trace file that you can take using a span port or tap. Ensure that the capturing computer is capturing WITHOUT a filter. You want to ensure you have all the packets. A big mistake I see is when the Network Analyst applies an IPV4 capture filter.
In this example, the computer has a ton of protocols and services that needs to be cleaned up, but that's not the focus of this example. The client was having DHCP server issues, so I asked them for a bootup capture, and here it is. The first thing I did was apply a dhcp display filter to confirm that there was no dhcp present, check. Then I noted the client's mac address and applied a display filter to help me zero in.
I noticed that there were ICMP error packets which is a good lesson for the filter happy out there; always include icmp in case they are present. When they are present, you can get a better idea as to what is going on. In this case, the ICMP port unreachable message tells me that the device that sent the packet does not support the port/protocol/service that was used to contact it.
As I mention in the video, ICMP error messages have a copy of the offending packet's header, which you can use to figure out what happened. In this case, I used the IP identifier to further prove what the offending packet was.
Lastly, the client’s IP helper router interface configuration in combination with the computer configuration was causing a lot of broadcast packets to hit the DHCP server, which did not support NetBIOS, so the DHCP server had to send an ICMP error packet for every NetBIOS. This perfect storm impacted the DHCP server to the point where it could not send DHCP replies or not in a timely matter.