DHCP protocol decoding

I. Introduction to DHCP protocol

DHCP, full name: Dynamic Host Configuration Protocol, Chinese name: Dynamic Host Configuration Protocol, its predecessor is BOOTP, it works at the OSI application layer, it is a proprietary protocol that helps computers obtain their configuration information from a specified DHCP server.

DHCP uses the Client/Server mode. The computer requesting configuration information is called the DHCP client, and the server providing information is called DHCP. DHCP can assign addresses to clients in three ways: manual configuration, automatic configuration, and dynamic configuration.

The most important function of DHCP is dynamic allocation. In addition to IP addresses, DHCP groups also provide other configuration information for clients, such as subnet masks. This allows the client to automatically configure the network connection without manual operation.

1. DHCP workflow

Discovery stage: the stage in which the DHCP Client searches for the DHCP server. The DHCP Client sends DHCP discover discovery information to the DHCP server in broadcast mode (because the IP address of the DHCP server is unknown to the client), that is, it sends specific broadcast information to the IP address 255.255.255.255. Each host installed with the TCP/IP protocol on the network will receive this broadcast information, but only the DHCP server will respond.

The provision phase, that is, the IP address provided by the DHCP server. The DHCP server that receives the DHCP discover discovery information in the network will respond, it selects a DHCP client from the IP address that has not been rented, send an IP address that contains the lease and other DHCP offer settings to the DHCP client.

Select phase, that is, the IP address of a DHCP server selected by the DHCP client. If Multiple DHCP servers provide information to DHCP offer, the DHCP client accepts only the information provided by the first DHCP offer, then, it answers a DHCP request information in broadcast mode, which contains the content that requests IP addresses from the selected DHCP server. The answer is broadcast to notify all DHCP servers that they will select the IP address provided by a DHCP server.

The validation phase, that is, the phase in which the DHCP server confirms the IP address provided. When the DHCP server receives the DHCP request from the DHCP client, it sends a DHCP ack confirmation message containing the IP address provided by the DHCP Client and other settings to the DHCP client, the IP address provided by the DHCP client. Then, the DHCP client binds the TCP/IP protocol to the NIC. In addition, all the DHCP servers except the selected server of the DHCP client will reclaim the IP address.

After the DHCP Client re-logs on to the network, it does not need to send the DHCP discover discovery information. Instead, it directly sends the DHCP request information containing the previous IP address. When the DHCP server receives this information, it will attempt to allow the DHCP client to continue using the original IP address and answer a DHCP ack confirmation message. If the IP address cannot be assigned to the original DHCP Client for use (this IP address has been assigned to other DHCP clients), the DHCP server returns a DHCP Nack denial message to the DHCP client. When the original DHCP client receives the DHCP Nack denied information, it must resend the DHCP discover information to request a new IP address.

Update the lease. The IP address rented by the DHCP server to the DHCP Client generally has a lease term. After the lease term expires, the DHCP server will reclaim the IP address. If the DHCP Client wants to extend its IP lease, it must update its IP lease. When a DHCP Client is started and half of the IP Lease Term expires, the DHCP Client automatically sends an update message to the DHCP server.

2. DHCP packet format

Let's introduce the DHCP packet format, 1,

OP (1)	Htype (1)	Hlen (1)	Hops (1)
Transaction ID (4)
Seconds (2)		Flags (2)
Ciaddr (4)
Yiaddr (4)
Siaddr (4)
Giaddr (4)
Chaddr (16)
Sname (64)
File (128)
Options (variable)

(Figure 1 DHCP packet format)

L op: if the client sends a packet to the server, set it to 1 and reverse to 2;

L htype: hardware type, Ethernet is 1;

L hlen: hardware length. The Ethernet value is 6;

L hops: if the data packet needs to be transmitted through the router, 1 is added for each site. If the data packet is in the same network, the value is 0;

L transaction ID: Transaction ID, which is a random number used to match requests and messages between the customer and the server;

L seconds: the time specified by the user. It refers to the time after the address is obtained and updated;

L flags: from 0 to 15 bits, when the leftmost bit is 1, the server sends packets to the client in broadcast mode, and the rest are not used yet;

L ciaddr: user IP address;

L yiaddr: the customer's IP address;

L siaddr: IP Address used in the bootstrap process;

L giaddr: IP address of the forwarding proxy (GATEWAY;

L chaddr: client hardware address;

L sname: name of an optional server, ending with 0x00;

L file: the Startup File Name;

L options:, vendor ID, optional parameter field

Ii. decoding information

Through the DHCP workflow, we know that the DHCP client has four types of packets (dhcpdiscovery, dhcpoffer, dhcprequest, dhcpack) in the four phases of obtaining configuration information from the DHCP server ). Let's take a look at the decoded content of 4 packets respectively:

1. discovery phase

Use the kicloudcli network analysis system to capture DHCP discovery packets, 2,

(Figure 2 DHCP discovery packet decoding)

Figure 2 shows the decoding information of the DHCP discovery package. Because DHCP is an extension of BOOTP, It is DHCP compatible with BOOTP. We can see the decoding of BOOTP and DHCP.

2. Provision phase

Use the Kto network analysis system to capture DHCP offer packets,

(Figure 3 DHCP offer packet decoding)

3. Select phase

Use the kicloudcli network analysis system to capture DHCP request packets, 4,

(Figure 4 DHCP Request Packet decoding)

4. validation phase

Use kolai's network analysis system to capture dhcp ack packets,

(Figure 5 dhcp ack packet decoding)

The preceding four types of data packets are used for DHCP. Each type of data packet is different.