Protocol Analysis-DHCP protocol decoding [DHCP protocol Introduction] DHCP, full name: Dynamic Host Configuration Protocol, Chinese name: Dynamic Host Configuration Protocol, its predecessor is BOOTP, it works at the OSI Application Layer and is a self-raising protocol that helps computers obtain their configuration information from a specified DHCP server. DHCP uses the Client/Server mode. The computer requesting configuration information is called the DHCP client, and the server providing information is called DHCP. DHCP can assign addresses to clients in three ways: manual configuration, automatic configuration, and dynamic configuration. The most important function of DHCP is dynamic allocation. In addition to IP addresses, DHCP groups also provide other configuration information for clients, such as subnet masks. This allows the client to automatically configure the network connection without manual operation. [DHCP workflow] The discovery stage, that is, the stage in which the DHCP Client searches for the DHCP server. The DHCP Client sends DHCP discover discovery information to the DHCP server in broadcast mode (because the IP address of the DHCP server is unknown to the client), that is, it sends specific broadcast information to the IP address 255.255.255.255. Each host installed with the TCP/IP protocol on the network will receive this broadcast information, but only the DHCP server will respond. The provision phase, that is, the IP address provided by the DHCP server. The DHCP server that receives the DHCP discover discovery information in the network will respond, it selects a DHCP client from the IP address that has not been rented, send an IP address that contains the lease and other DHCP offer settings to the DHCP client. Select phase, that is, the IP address of a DHCP server selected by the DHCP client. If Multiple DHCP servers provide information to DHCP offer, the DHCP client accepts only the information provided by the first DHCP offer, then, it answers a DHCP request information in broadcast mode, which contains the content that requests IP addresses from the selected DHCP server. The answer is broadcast to notify all DHCP servers that they will select the IP address provided by a DHCP server. The validation phase, that is, the phase in which the DHCP server confirms the IP address provided. When the DHCP server receives the DHCP request from the DHCP client, it sends a DHCP ack confirmation message containing the IP address provided by the DHCP Client and other settings to the DHCP client, the IP address provided by the DHCP client. Then, the DHCP client binds the TCP/IP protocol to the NIC. In addition, all the DHCP servers except the selected server of the DHCP client will reclaim the IP address. After the DHCP Client re-logs on to the network, it does not need to send the DHCP discover discovery information. Instead, it directly sends the DHCP request information containing the previous IP address. When the DHCP server receives this information, it will attempt to allow the DHCP client to continue using the original IP address and answer a DHCP ack confirmation message. If the IP address cannot be assigned to the original DHCP Client for use (this IP address has been assigned to other DHCP clients), the DHCP server returns a DHCP Nack denial message to the DHCP client. When the original DHCP client receives the DHCP Nack denied information, it must resend the DHCP discover information to request a new IP address. Update the lease. The IP address rented by the DHCP server to the DHCP Client generally has a lease term. After the lease term expires, the DHCP server will reclaim the IP address. If the DHCP Client wants to extend its IP lease, it must update its IP lease. When a DHCP Client is started and half of the IP Lease Term expires, the DHCP Client automatically sends an update message to the DHCP server. [DHCP packet format] Let's introduce the DHCP packet format, 1,
| OP (1) |
Htype (1) |
Hlen (1) |
Hops (1) |
| Transaction ID (4) |
| Seconds (2) |
Flags (2) |
| Ciaddr (4) |
| Yiaddr (4) |
| Siaddr (4) |
| Giaddr (4) |
| Chaddr (16) |
| Sname (64) |
| File (128) |
| Options (variable) |
|
|
|
|
(Figure 1 DHCP packet format) OP: if the client sends a packet to the server, set it to 1 and reverse to 2; htype: hardware type, Ethernet to 1; hlen: hardware length, ethernet is 6; hops: if the data packet needs to be transmitted through the router, add 1 to each station. If the data packet is in the same network, it is 0; transaction ID: Transaction ID, which is a random number, used to match requests and corresponding messages between the customer and the server. Seconds: the time specified by the user, that is, the time after the start address acquisition and update; flags: from 0 to 15 bits, when the leftmost bit is 1, the server sends packets to the client in broadcast mode, and the rest are not used yet. ciaddr: user IP address; yiaddr: IP address assigned to the customer by the server; siaddr: used for the IP address in the bootstrap process; (Server IP address) giaddr: Forwarding proxy (GATEWAY) ip address; chaddr: client hardware address; sname: name of the optional server, ending with 0x00 ; File: Startup File Name; options:, vendor ID, optional parameter field [packet capture Analysis] the software used this time is Wireshark (in the dormitory) 1. discovery phase: 2. provision phase: 3. select Phase 4. validation phase: [summary] environment analysis: according to the above content, the IP address obtained by my PC is obtained through proxy. And only goes through one router proxy, that is, the gateway. Tutorial Description: This experiment only analyzes the packet direction from the PC to the gateway broadcast domain. No analysis is performed between the gateway and the DHCP server. At this time, the experiment made you better understand the DHCP acquisition process and became familiar with the use of packet capture software.
Protocol Analysis-DHCP protocol decoding
