HakTip 128 – Wireshark 101: The Dynamic Host Configuration Protocol

Today on HakTip, Shannon explains DHCP and how it relates to Wireshark.

Download HD | Download MP4

DCHP stands for Dynamic Host Configuration Protocol, and it’s a common upper-layer protocol. DHCP makes it super easy for devices to get an IP address automatically. DHCP’s goal is to assign address to clients during this thing called a ‘renewal process’.

In Wireshark, first we have OpCode – to show you if it’s a reply or a request. Then Hardware type (like if it’s Ethernet), the hardware length of the hardware address, Hops (which are used by relay agents to assist in finding a DHCP server), a Transaction ID to pair requests and responses, Seconds Elapsed (which shows you how long it’s been since the client first requested the address from a DHCP server), then we have Flags (which shows what kind of traffic this DHCP client can accept), Client IP address (you!), Your IP address (which becomes the Client), the Server IP address, Gateway IP address, Client hardware address (MAC), the Server Host Name, Boot File, and Options.

The Renewal Process, mentioned earlier, has four parts, called DORA for short, which include: Discover, Offer, Request, and Acknowledgement.

The Discover part of this packet list is called that because you as the client are trying to ‘discover’ a DHCP server by sending out a big ping to your entire network. You’ll also notice at this stage that you don’t have an IP address – it’ll just be 0.0.0.0. Your discover packet will say Boot request 1 in the Message type area, address fields will say 0.0.0.0, and there’s a bunch of info in the Options area.

It says it’s a DHCP Discover packet, then you have a client identifier, the requested IP address, and a Parameter request which will list other items the client wants to know from the DHCP server, like the IP addresses of other stuff on the network.

The next packet, the Offer, is from the DHCP server coming to the client. It’s as if the server is ‘offering to communicate and give the client an IP address’. But how does it find the client? With it’s hardware MAC address! Yay ARP! This time the packet is a reply. Under Options, you’ll see it’s listed as a DHCP Offer, with a subnet mask, a renewal time, rebinding time, an IP address lease time, and an identifier for the server.

From here you will send out a request packet. This packet tells the server that the client approves the info offered up. This one still has 0.0.0.0 as the client ip address because you haven’t completed the acceptance yet, and the Options will say DHCP request.

Finally, you’ll see an acknowledgement packet, which is sent from the server with the new IP address for the client, and then that new IP address is finally recorded in it’s database.

Back when we mentioned that lease time thing, that has to do with a packet called an “In-Lease Renewal”. When the client has used an IP address for an allotted amount of time, it must tell the server it wants an in-lease renewal. This’ll start a truncated version of the DORA packets.

Lastly, a note on the DHCP options. You can find a listing of these at the IANA.org website along with Bootstrap protocol parameters (bootstrap was used back in the day to assign IP’s to devices before DHCP was created). If you scroll down to Options, there are mainly 8 of them that you might see in Wireshark. These are pretty self-explanatory so I won’t go into details.

Let me know what you think. Send me a comment below or email us at [email protected]. And be sure to check out our sister show, Hak5 for more great stuff just like this. I’ll be there, reminding you to trust your technolust.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>