decodedhcp
Decodes DHCP messages from Ethernet frames, extracting the transaction ID, IP addresses, client MAC address, DHCP options, and other data.
Command properties
| Item | Description |
|---|---|
| Command type | Processing query |
| Required permission | None |
| License usage | N/A |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Input fields
| Field | Type | Required | Description |
|---|---|---|---|
payload | binary | Required | Ethernet frame data. If the field is not binary type, the input record is passed through as-is. |
Output fields
| Field | Type | Description |
|---|---|---|
tx_id | integer | DHCP transaction ID |
client_ip | ipaddr | Client IP address |
your_ip | ipaddr | IP address assigned to the client by the server |
next_server_ip | ipaddr | Next bootstrap server IP address |
gateway_ip | ipaddr | Relay agent IP address |
client_mac | string | Client MAC address |
fingerprint | string | Fingerprint string based on DHCP Option 55 (Parameter Request List). Returns null if Option 55 is absent. |
options | array | List of DHCP options. Each item is a map containing type (integer), name (string), and value (binary) fields. |
Error codes
Parse errors
N/A
Runtime errors
N/A
Description
The decodedhcp command reads an Ethernet frame from the payload field of each input record and decodes the DHCP protocol message. If the payload field is not binary type, the input record is passed through to the next command unchanged.
From the decoded DHCP message, the command extracts the transaction ID, client IP, server-assigned IP, next server IP, gateway IP, and client MAC address. If DHCP Option 55 (Parameter Request List) is present, a fingerprint string for device fingerprinting is generated.
Examples
-
Decoding DHCP messages from a PCAP file
pcapfile /opt/logpresso/dhcp-capture.pcap | decodedhcpDecodes DHCP messages from Ethernet frames read from a PCAP file.
-
Extracting fingerprints after decoding
pcapfile /opt/logpresso/dhcp-capture.pcap | decodedhcp | search isnotnull(fingerprint) | fields client_mac, fingerprintExtracts only records that have a fingerprint from DHCP messages and retrieves the client MAC address and fingerprint.