Wireshark 101: The Dynamic Host Configuration Protocol, HakTip 128
ฝัง
- เผยแพร่เมื่อ 22 ม.ค. 2015
- Hak5 -- Cyber Security Education, Inspiration, News & Community since 2005:
____________________________________________
Today on HakTip, Shannon explains DHCP and how it relates to Wireshark.
DCHP stands for Dynamic Host Configuration Protocol, and it's a common upper-layer protocol. DHCP makes it super easy for devices to get an IP address automatically. DHCP's goal is to assign address to clients during this thing called a 'renewal process'.
In Wireshark, first we have OpCode - to show you if it's a reply or a request. Then Hardware type (like if it's Ethernet), the hardware length of the hardware address, Hops (which are used by relay agents to assist in finding a DHCP server), a Transaction ID to pair requests and responses, Seconds Elapsed (which shows you how long it's been since the client first requested the address from a DHCP server), then we have Flags (which shows what kind of traffic this DHCP client can accept), Client IP address (you!), Your IP address (which becomes the Client), the Server IP address, Gateway IP address, Client hardware address (MAC), the Server Host Name, Boot File, and Options.
The Renewal Process, mentioned earlier, has four parts, called DORA for short, which include: Discover, Offer, Request, and Acknowledgement.
The Discover part of this packet list is called that because you as the client are trying to 'discover' a DHCP server by sending out a big ping to your entire network. You'll also notice at this stage that you don't have an IP address - it'll just be 0.0.0.0. Your discover packet will say Boot request 1 in the Message type area, address fields will say 0.0.0.0, and there's a bunch of info in the Options area.
It says it's a DHCP Discover packet, then you have a client identifier, the requested IP address, and a Parameter request which will list other items the client wants to know from the DHCP server, like the IP addresses of other stuff on the network.
The next packet, the Offer, is from the DHCP server coming to the client. It's as if the server is 'offering to communicate and give the client an IP address'. But how does it find the client? With it's hardware MAC address! Yay ARP! This time the packet is a reply. Under Options, you'll see it's listed as a DHCP Offer, with a subnet mask, a renewal time, rebinding time, an IP address lease time, and an identifier for the server.
From here you will send out a request packet. This packet tells the server that the client approves the info offered up. This one still has 0.0.0.0 as the client ip address because you haven't completed the acceptance yet, and the Options will say DHCP request.
Finally, you'll see an acknowledgement packet, which is sent from the server with the new IP address for the client, and then that new IP address is finally recorded in it's database.
Back when we mentioned that lease time thing, that has to do with a packet called an "In-Lease Renewal". When the client has used an IP address for an allotted amount of time, it must tell the server it wants an in-lease renewal. This'll start a truncated version of the DORA packets.
Lastly, a note on the DHCP options. You can find a listing of these at the IANA.org website along with Bootstrap protocol parameters (bootstrap was used back in the day to assign IP's to devices before DHCP was created). If you scroll down to Options, there are mainly 8 of them that you might see in Wireshark. These are pretty self-explanatory so I won't go into details.
Let me know what you think. Send me a comment below or email us at tips@hak5.org. And be sure to check out our sister show, Hak5 for more great stuff just like this. I'll be there, reminding you to trust your technolust.
~-~~-~~~-~~-~
Please watch: "Bash Bunny Primer - Hak5 2225"
• Bash Bunny Primer - Ha...
~-~~-~~~-~~-~
____________________________________________
Founded in 2005, Hak5's mission is to advance the InfoSec industry. We do this through our award winning educational podcasts, leading pentest gear, and inclusive community - where all hackers belong. - วิทยาศาสตร์และเทคโนโลยี
![เปิดบ้านสุดหรู "เเจ็ค the ghost" ลั่นถ้าป๋องกพลลำบากผมเลี้ยงเอง!! l [Nickynachat]](http://i.ytimg.com/vi/1xbW4vULqGc/mqdefault.jpg)
This is a great overview of DHCP, going to use it with my students! Particularly like the use of Wireshark to break apart the packet and detail the conversation between client and server. Thanks!
please explain for DHCP Discover, Offer, Request and ACK - what should be the Src and Destinations Mac in each case
So, your not tell how your connection to the Ethernet was made to collect all the dhcp packets. I’m assuming to need to be connected to the router directly? Cause I’m not getting everything.
Isn't the transaction ID changing for Request and ACK contrary to what's been said that the transaction ID doesn't change.
why is broadcast address not used in discovery offer and ack message in this case? Is there any new change on dhcp ?
thanks...this helped me with my homework.
another helpful post, well done.
FYI.. if you want to create a DHCP filter, type bootp in the display filter dialogue box .
I use "udp.port == 68"
Wow Shannon really knows her stuff lol great job
Hi Hak5, Could you please have a topology where do you capture the packet? at host interface, or at Router connected to DHCP server ? since DHCP Discover head field data are different between client vs Router and DHCP server. In your case, look like you capture as client site. Please improve a topology when you capture packet since it is important! Thanks.