How to troubleshoot the PXE Boot Process Using Wireshark

Version 12

    Verified Product Versions

    Endpoint Manager 2016.x



    How do you use a network trace utility (such as Wireshark) to trouble shoot network PXE boot issues?




    The network trace should typically be taken from the computer acting as the PXE representative.


    Steps to capture a network trace focused only on bootp traffic:


    1. Download the latest version of Wireshark.Install Wireshark on the PXE Representative.
    2. Run Wireshark on the PXE representative.
    3. Under the "Capture" menu select "Interfaces" and ensure that only the Ethernet connection that is connected to the desired subnet is selected.
    4. Click the "Options" button and in the Capture Filter section type in "port 67 or port 68".  This will limit the capture to only traffic on ports 67 and port 68.
      Ports 67 and port 68 are used in the DHCP process.  UDP port 67 is the destination port of a server.  UDP port number 68 is used by the client.

    5. Turn on the network client and select "network boot" in the boot device options to boot to network.
    6. If booting a UEFI device, you will need to have an OS Deployment task targeted to that device in order for the device to network boot.
    7. If using a Legacy BIOS device it should pick up the network boot and present you with the following boot menu:
          Take note of the IP address of the client, the MAC Address of the client, and the Proxy IP, as it will be useful in later Wireshark troubleshooting

      What can go wrong at this point? 

      Error: "PXE-E51: No DHCP or proxyDHCP offers were received"

      Error: PXE-E52: ProxyDHCP offers were received. No DHCP offers were received
      Error: PXE-E53: No boot filename received

      Error: "PXE-E55 ProxyDHCP: No reply to request on port 4011"


    8. At this point if there is no LANDESK agent record in the devices list on the core server, the MAC address of this client will now show up in the LDMS console.  This can be used to target tasks to the client computer.

    9. A normal Network Boot process should resemble the following:

      DHCP operations fall into four phases: Server Discovery, IP Lease Offer, IP Request, and IP Lease acknowledgement.

      Line 3: (Boot request) The client does the Discovery phase by broadcasting on the network subnet using the destination address or the specific subnet broadcast address.
      Because the client is requesting an IP address through a network boot using a PXE enabled network card, the client will include DHCP Option 60 which includes the string "PXEClient:Arch:xxxxxUNDI:yyyzz"
      This message to the DHCP Server is known as a "Boot request" as it is using the BOOTP protocol.  Among the information it is requesting it is requesting the Boot File Size, and the Bootfile Name.

      Line 4: (Boot Reply)  The DHCP server receives the DHCPDISCOVER message from a client, which is an IP address lease request with an additional request for boot server details.
      The server reserves an IP address for the client and makes a lease by sending a DHCPOFFER message to the client.

      In this example the DHCP Relay Agent (on the router) responds on behalf of the DHCP server offering an IP Address for the Client, Server Address Details for the DHCP server (Next Server IP Address),
      and the address of the Relay agent (Router) address.  It also lists the Client MAC address.    (Note, if communicating directly with the DHCP server and not through a relay agent, there will be less DHCPOFFER entries)

      This message contains the clients, MAC address, the IP address the server is offering, the subnet mask, the lease duration, and the IP address of the DHCP server making the offer.

      At this point the client receives the boot information from the PXE proxy and tells the client to continue with a network boot:

      Line 5:
      The PXE Proxy intercepts the request for further boot details and sends the bootstrap information.  The bootstrap information is contained in the file \X86PC\UNDI\Bootstrap\Bstrap.0 on the PXE Representative.
      Highlighting "Boot file name: ..." in the Packet Details frame will reveal the details about the bootstrap menu.  In LANDESK Provisioning this is presented as the "F8" menu.
      After the user presses F8 the PXE boot menu is displayed:
      The boot menu is loaded from the file bootmenu.0

      After a selection is made, the client will attempt to download the proper boot file using the MTFTP protocol from the PXE representative.

      What can go wrong at this stage?  Error: "TFTP Timeout" when attempting to PXE Boot