Software Developers
Showing results for 
Search instead for 
Do you mean 

Sniffing System Startup

mrohad on ‎05-08-2013 08:10 AM

We are used to having all computers, cell phones, and other devices connected to the network.  How does that connection happen? It is interesting to monitor a system from the moment it boots up until it is fully connected to the outside world, and see which protocols are involved in the process.

My laptop setup uses CentOS-5.6 starting inside VirtualBox ( To capture the packets, I use Wireshark (

The VM network adapter  is configured in Bridged mode (see the following image). This way, all the traffic goes through a physical device on the host machine - my laptop in this case.  



Note the MAC address given to the VM: 08:00:27:F2:41:7B.

Having everything set, I start recording the traffic in Wireshark, and launch CentOS.

Wireshark captures all the traffic that goes through the physical device. So I filter the traffic using the previously noted MAC address: eth.addr==08:00:27:F2:41:7B. The resulting capture file (a copy of which is attached) looks like this:



The first packet is a DHCP (Dynamic Host Configuration Protocol) request. This is how the CentOS machine asks for a new IP address. The request is sent, of course, as a broadcast (Ethernet address FF:FF:FF:FF:FF:FF; IP address, since it does not know whom to ask. The DHCP request is sent by UDP packet and uses standard port numbers: 67 for destination, and 68 for source.

Among other items, the DHCP request contains a list of parameters that the host is hoping to get in response:


In the second packet (as you can see in the image above) the request is repeated; UDP is not a reliable protocol, and the original request might be lost. You should appreciate the patience shown by CentOS; it waited 5.7 seconds for an answer - much longer than the response time most of us expect from any web site!

And finally an HDCP response (an offer) is received:


Note that it contains the IP address to be used by the host (, lease time, renewal policy, and also the IP addresses of two DNS servers: The host happily accepts such a generous offer.

But one piece of information is still missing: the Host Name. This was neither returned by DHCP nor configured on CentOS itself. So, in packet 14 it tries its luck with a reverse DNS query. (Fortunately, we already have the DNS server’s IP address.)


Note that a special format of a host name is being used: This is  created from the IP address of the host, but with the order of the octets reversed, and a standard suffix. Unfortunately,  , meaning the machine has no option but to use “localhost” as the Host Name.

Also note that the request was sent to the DNS server. But how could the host know what MAC address it should put in the Ethernet frame? Packet 8 is an ARP (Address Resolution Protocol) request, asking for the MAC address of CentOS knows that the DNS server is located in a different network subnet (based on the subnet mask), so it uses the MAC address of the router (also known from the DHCP response) to send packets to the outside world.

This overview gives you an idea how a newly booted computer finds itself in the network world. You might find it worthwhile  to look at the next packets in the capture file and figure out such queries as:

  • Why does CentOS send an IGMP request to
  • What is the IP address?
  • Why does it believe MDNS will achieve better results?
  • How (later in the process, while being logged in) does it look for updates on CentOS mirror sites?

A short time using Google should provide all the answers!


This article has been written by Michael Gopshtein


0 Kudos
About the Author


Nov 29 - Dec 1
Discover 2016 London
Learn how to thrive in a world of digital transformation at our biggest event of the year, Discover 2016 London, November 29 - December 1.
Read more
Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all