Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rbernal
Staff
Staff

Created on ‎09-16-2024 09:34 PM Edited on ‎08-25-2025 06:44 AM By Community Manager

Article Id 341806

Troubleshooting Tip: Check DHCP Messages with VLAN Tag using Wireshark Packet Capture

Description This article describes how to check a VLAN tag on DHCP Messages of devices that request a DHCP IP from FortiGate configured as a DHCP Server.
Scope FortiGate.
Solution

There are cases that which the FortiGate is set up as a DHCP server for a certain VLAN ID and devices are unable to get the IP address for that VLAN. One of the troubleshooting steps is to check if the DHCP Messages is received by the FortiGate and if it is correctly tagged by a VLAN ID.

Here is another helpful article to explain the DHCP Process: Technical-Tip-Understanding-DHCP-Process

 

The example below will provide steps to capture DHCP Messages and check the VLAN tag if correct.

 

Diagram:
FortiGate is configured as DHCP Server Physical Interface 'port2' and VLAN interface 'IntVLAN-20' with VLAN ID of 20.

 

 
 
 
Diagram101.PNG

 

FortiGate's Interfaces:

 

FortiGate Interface.PNG

  1. Setup Putty to capture all logs, then SSH or console to FortiGate. Follow this link: Technical Tip: How to create a log file of a session using PuTTY
  2. Initiate the packet capture command on CLI:

 

diagnose sniff packet port2 " " 6 0 l   <----- This command will capture all traffic on port2.

      ctrl+c            <----- To stop the sniffer.

 

  1. While packet capture on step 2 is running, connect the PC on e0/2 of the switch that is tagged with VLAN ID 20. FortiGate will capture all the traffic on port2 that includes DHCP Messages.
  2. When the PC gets an IP, stop the packet capture on step 2 by pressing 'CTRL+C' and convert the capture file into Wireshark pcap file by following this link: Technical Tip: How to import 'diagnose sniffer packet' data to WireShark

 

Attached an example file of Packet capture that have a VLAN 20 tag for reference:

  • Raw file saved by Putty using sniffer command: VLAN20-PCAP-RAW.zip
  • Converted file to Wireshark PCAP: VLAN20-PCAP.zip

 

  1. Open the pcap file VLAN20-PCAP.pcap and set the filter as the Physical address of the PC. Example filter: eth.addr == 50:00:00:09:00:00

 It shows on the image the DHCP Messages. More importantly, the DHCP Discovery sent by the PC with transaction ID 0x79543bd

Another filter related to transaction ID can also be added: bootp.id == 0x79543bd

 

VLAN20-PCAP_image.PNG

 

The image above shows the VLAN tag ID 20 on the DHCP Messages. This tag should be visible on the DHCP Messages so that the FortiGate could provide an IP address that is configured on the DHCP Server for VLAN 20.

 

Below is another example if the DHCP Messages being untagged. FortiGate will provide an IP address within the range of the DHCP Server in the Physical Interface instead.

 

The image below is not related to the network setup for the DHCP Messages that have a VLAN tagging:

 

No802dot1qtag_modified.png

 

Related articles:

Technical Tip: Diagnosing DHCP on a FortiGate

Troubleshooting Tip: Client receives the wrong DHCP scope

Troubleshooting Tip: Using the FortiGate sniffer on VLAN interfaces
VLAN20-PCAP.zip
VLAN20-PCAP-RAW.zip
1574
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.