Dynamic Host Configuration Protocol (DHCP)

Slides

---

DHCP is a network protocol used to configure IP networks. A DHCP server listens to UDP port 67 and dynamically assigns IP addresses and other network parameters to DHCP clients. These clients will listen for responses on UDP port 68.

The protocol has four phases:

Discovery:

A clients sends a broadcast to the entire network, asking for an IP address

Offer:

A DHCP server on the network may choose to respond. It will broadcast the offer to the entire network. This is to ensure other DHCP servers know that someone else has taken the request.

Request:

The client then sends a request to the DHCP server that responded and ask for the IP and configuration that was offered.

Acknowledge/Reply:

The DHCP server can acknowledge this request and confirm the IP address and configuration of the client. This response will also contain the lease time of the given IP. After the lease time, the client will have to send another request.

Capturing DHCP traffic

Tools such as tcpdump can be used to capture network traffic. The following captures all traffic on network interface em3 that is addressed to UDP port 67.

[root@master ~]# tcpdump -i em3 udp port 67
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode
listening on em3, link-type EN10MB (Ethernet), capture size
262144 bytes
11:03:52.571789 IP b093.mgmt.bootpc > master.mgmt.bootps:
BOOTP/DHCP, Request from 7c:d3:0a:c7:22:a4 (oui Unknown),
length 291
11:03:53.813066 IP b145.mgmt.bootpc > master.mgmt.bootps:
BOOTP/DHCP, Request from 7c:d3:0a:c6:55:a2 (oui Unknown),
length 291
11:03:53.813450 IP master.mgmt.bootps > b145.mgmt.bootpc:
BOOTP/DHCP, Reply, length 300
11:03:55.166984 IP g003.mgmt.bootpc > master.mgmt.bootps:
BOOTP/DHCP, Request from 84:7b:eb:f4:fc:76 (oui Unknown),
length 291
11:03:55.167337 IP master.mgmt.bootps > g003.mgmt.bootpc:
BOOTP/DHCP, Reply, length 300
...

Port numbers below 1024 have registered names that are defined by the IANA. You can find these named ports in the /etc/services file on Linux systems. There you will find that port 67 has the name bootps (Bootstrap Protocol Server), while port 68 has the name bootpc (Bootstrap Protocol Client). BOOTP (Bootstrap Protocol) was the predecessor of DHCP.

[root@master ~]# grep " 67/udp" /etc/services
bootps          67/udp
[root@master ~]# grep " 68/udp" /etc/services
bootpc          68/udp          dhcpc

For this reason, you can use tcpdump as follows:

[root@master ~]# tcpdump -i em3 port bootps

To learn more about each package, tcpdump also can decode some of the protocols by adding the -v or -vv flags. By adding the -n flag you will see the numeric IPs, instead of the resolved DNS names.

[root@master ~]# tcpdump -i em3 port bootps -vn
tcpdump: listening on em3, link-type EN10MB (Ethernet),
...
14:09:55.640036 IP (tos 0x0, ttl 64, id 12964, offset 0, flags [DF], proto UDP (17), length 319)
    192.168.4.109.bootpc > 192.168.0.1.bootps: BOOTP/DHCP, Request from 7c:d3:0a:c7:3a:50, length 291, xid 0xf049e165, Flags [none]
       Client-IP 192.168.4.109
       Client-Ethernet-Address 7c:d3:0a:c7:3a:50
       Vendor-rfc1048 Extensions
         Magic Cookie 0x63825363
         DHCP-Message Option 53, length 1: Request
         Client-ID Option 61, length 7: ether 7c:d3:0a:c7:3a:50
         MSZ Option 57, length 2: 576
         Parameter-Request Option 55, length 10:
           Subnet-Mask, Default-Gateway, Domain-Name-Server, Hostname
           Domain-Name, BR, NTP, Vendor-Option
           Classless-Static-Route, Classless-Static-Route-Microsoft
         Vendor-Class Option 60, length 5: "iDRAC"
         Hostname Option 12, length 13: "idrac-XZY"
14:09:55.640445 IP (tos 0x0, ttl 64, id 58751, offset 0, flags [DF], proto UDP (17), length 328)
    192.168.0.1.bootps > 192.168.4.109.bootpc: BOOTP/DHCP, Reply, length 300, xid 0xf049e165, Flags [none]
       Client-IP 192.168.4.109
       Your-IP 192.168.4.109
       Server-IP 192.168.16.1
       Client-Ethernet-Address 7c:d3:0a:c7:3a:50
       Vendor-rfc1048 Extensions
         Magic Cookie 0x63825363
         DHCP-Message Option 53, length 1: ACK
         Server-ID Option 54, length 4: 192.168.0.1
         Lease-Time Option 51, length 4: 1200
         Subnet-Mask Option 1, length 4: 255.255.240.0
         Default-Gateway Option 3, length 4: 192.168.0.1
         Domain-Name-Server Option 6, length 4: 192.168.0.1
         Hostname Option 12, length 4: "b109"