Dynamic Host Configuration Protocol (DHCP)
DHCP is a network protocol used to configure IP networks. A DHCP server listens to UDP port 67 and dynamically assigns IP addresses and other network parameters to DHCP clients. These clients will listen for responses on UDP port 68.
The protocol has four phases:
- Discovery:
A clients sends a broadcast to the entire network, asking for an IP address
- Offer:
A DHCP server on the network may choose to respond. It will broadcast the offer to the entire network. This is to ensure other DHCP servers know that someone else has taken the request.
- Request:
The client then sends a request to the DHCP server that responded and ask for the IP and configuration that was offered.
- Acknowledge/Reply:
The DHCP server can acknowledge this request and confirm the IP address and configuration of the client. This response will also contain the lease time of the given IP. After the lease time, the client will have to send another request.
Capturing DHCP traffic
Tools such as tcpdump
can be used to capture network traffic. The
following captures all traffic on network interface em3
that is addressed to
UDP port 67.
[root@master ~]# tcpdump -i em3 udp port 67
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode
listening on em3, link-type EN10MB (Ethernet), capture size
262144 bytes
11:03:52.571789 IP b093.mgmt.bootpc > master.mgmt.bootps:
BOOTP/DHCP, Request from 7c:d3:0a:c7:22:a4 (oui Unknown),
length 291
11:03:53.813066 IP b145.mgmt.bootpc > master.mgmt.bootps:
BOOTP/DHCP, Request from 7c:d3:0a:c6:55:a2 (oui Unknown),
length 291
11:03:53.813450 IP master.mgmt.bootps > b145.mgmt.bootpc:
BOOTP/DHCP, Reply, length 300
11:03:55.166984 IP g003.mgmt.bootpc > master.mgmt.bootps:
BOOTP/DHCP, Request from 84:7b:eb:f4:fc:76 (oui Unknown),
length 291
11:03:55.167337 IP master.mgmt.bootps > g003.mgmt.bootpc:
BOOTP/DHCP, Reply, length 300
...
Port numbers below 1024 have registered names that are defined by the
IANA. You can find these named ports
in the /etc/services
file on Linux systems. There you will find that port
67 has the name bootps
(Bootstrap Protocol Server), while port 68 has the
name bootpc
(Bootstrap Protocol Client). BOOTP (Bootstrap Protocol) was the
predecessor of DHCP.
[root@master ~]# grep " 67/udp" /etc/services
bootps 67/udp
[root@master ~]# grep " 68/udp" /etc/services
bootpc 68/udp dhcpc
For this reason, you can use tcpdump
as follows:
[root@master ~]# tcpdump -i em3 port bootps
To learn more about each package, tcpdump
also can decode some of the
protocols by adding the -v
or -vv
flags. By adding the -n
flag you
will see the numeric IPs, instead of the resolved DNS names.
[root@master ~]# tcpdump -i em3 port bootps -vn
tcpdump: listening on em3, link-type EN10MB (Ethernet),
...
14:09:55.640036 IP (tos 0x0, ttl 64, id 12964, offset 0, flags [DF], proto UDP (17), length 319)
192.168.4.109.bootpc > 192.168.0.1.bootps: BOOTP/DHCP, Request from 7c:d3:0a:c7:3a:50, length 291, xid 0xf049e165, Flags [none]
Client-IP 192.168.4.109
Client-Ethernet-Address 7c:d3:0a:c7:3a:50
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Request
Client-ID Option 61, length 7: ether 7c:d3:0a:c7:3a:50
MSZ Option 57, length 2: 576
Parameter-Request Option 55, length 10:
Subnet-Mask, Default-Gateway, Domain-Name-Server, Hostname
Domain-Name, BR, NTP, Vendor-Option
Classless-Static-Route, Classless-Static-Route-Microsoft
Vendor-Class Option 60, length 5: "iDRAC"
Hostname Option 12, length 13: "idrac-XZY"
14:09:55.640445 IP (tos 0x0, ttl 64, id 58751, offset 0, flags [DF], proto UDP (17), length 328)
192.168.0.1.bootps > 192.168.4.109.bootpc: BOOTP/DHCP, Reply, length 300, xid 0xf049e165, Flags [none]
Client-IP 192.168.4.109
Your-IP 192.168.4.109
Server-IP 192.168.16.1
Client-Ethernet-Address 7c:d3:0a:c7:3a:50
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: ACK
Server-ID Option 54, length 4: 192.168.0.1
Lease-Time Option 51, length 4: 1200
Subnet-Mask Option 1, length 4: 255.255.240.0
Default-Gateway Option 3, length 4: 192.168.0.1
Domain-Name-Server Option 6, length 4: 192.168.0.1
Hostname Option 12, length 4: "b109"