Two Main Sources of Truth
When debugging dhcpd, always check both:
- Logs (journald/syslog): Show when leases are offered, acknowledged, or refused.
- Packet captures (tcpdump/Wireshark): Show the actual handshake:
- DISCOVER → OFFER → REQUEST → ACK
- Wireshark can also decode DHCP options and highlight missing/misconfigured values.
Common Issues to Check
If clients are not receiving offers:
- Firewall: Are UDP ports 67 (server) and 68 (client) open?
- Interface binding: Is dhcpd listening on the correct NIC?
- Relay behavior: Does the relay correctly set the giaddr field?
- Missing/incorrect giaddr → server may allocate from the wrong subnet or ignore requests.
Testing Configurations
Always validate before restarting dhcpd:
dhcpd -d -cf /etc/dhcp/dhcpd.conf # Run in foreground, debug mode
dhcpd -t -cf /etc/dhcp/dhcpd.conf # Test config syntax only
tcpdump -ni any port 67 or port 68 -vv # Capture DHCP trafficLogging and Syslog Integration
Increase Verbosity
Run in the foreground with -d during debugging.
Syslog Routing
Set a dedicated facility in dhcpd.conf:
log-facility local7;Then configure rsyslog:
# /etc/rsyslog.d/30-dhcpd.conf
if ($programname == 'dhcpd') then /var/log/dhcpd.log
& stopLog Rotation
Prevent disk fill-ups by configuring /etc/logrotate.d/dhcpd.
Best Practices for DHCP Logging
- Separate logs: Keep noisy DHCP lease logs separate from general system logs.
- Centralize: Forward logs to a remote collector for auditing and troubleshooting.
- Retention: Rotate and store logs according to compliance needs (some orgs must keep them for years).
- Privacy: DHCP logs tie MAC → IP → hostname. Follow GDPR/local privacy laws.
- Secure transport: Encrypt logs when sending them off-host.
- Tag & filter: Use facilities/severities to make parsing easier.
- Scale up: Large environments benefit from Logstash, Fluentd, or SIEM platforms for ingestion and search.
Final Note
With proper logging and packet analysis, DHCP is no longer a black box. Instead, it becomes a transparent, auditable service that integrates smoothly into your monitoring and security infrastructure.
DHCP Troubleshooting Flowchart
Client cannot get IP
|
v
Check Client Side
- Is NIC up? (ip addr / ifconfig)
- Is client sending DHCPDISCOVER? (tcpdump/Wireshark)
|
v
Check Network Path
- Firewalls open? (UDP 67/68)
- Switch/Router blocking broadcasts?
|
v
Check DHCP Server
- Is dhcpd running? (systemctl status isc-dhcp-server)
- Is it bound to correct interface? (/etc/default/isc-dhcp-server or dhcpd flags)
- Test config syntax (dhcpd -t -cf /etc/dhcp/dhcpd.conf)
|
v
Relay Agent Present?
- Is giaddr correctly set?
- Wrong/missing giaddr → server ignores request
|
v
Check Logs
- journald / syslog for OFFER/ACK/refused
- Dedicated DHCP logs (e.g., /var/log/dhcpd.log)
|
v
Packet Capture
- DISCOVER → OFFER → REQUEST → ACK sequence present?
- Are DHCP options (routers, DNS, etc.) included?
|
v
Advanced Checks
- Lease file (/var/lib/dhcp/dhcpd.leases) shows conflicts?
- Abandoned leases? (ARP conflict detected)
- SELinux/AppArmor blocking raw sockets?
|
v
If All Fails
- Increase verbosity (dhcpd -d)
- Route logs to central collector
- Use SIEM/Fluentd/Logstash for high-volume log analysis