[Avertive]

This is the oddest thing...my log files continue to grow showing the dhcp traffic (no IP as source, 255.255.255.255 broadcast as destination; udp/67) yet my tcpdump doesn't catch it.

This is what my dump looks like:
[Expert@fw1]# tcpdump -n -e -i eth1 udp port 67

I've also tried:
[Expert@fw1]# tcpdump -n -e -i eth1 host 255.255.255.255

The servers are connected to the same switch as the firewall, but listing the arp table via 'arp -a' won't tell me which MAC is doing the dhcp broadcasts.

I've just installed an IDS on this segment so should be able to track it down with it, although I really hoped I could with the firewall. I still baffled why my tcpdump doesn't see it. Any other ideas how the firewall might get this information?