1. Introduction to DHCP Protocol
DHCP, short for Dynamic Host Configuration Protocol, is the successor to BOOTP and functions at the application layer of the OSI model. As a bootstrap protocol, it helps computers, referred to as DHCP clients, acquire configuration information from a designated DHCP server.
DHCP uses a client/server model, where the computer requesting configuration information is called a DHCP client, and the provider of the information is the DHCP server. DHCP has three methods to assign addresses to clients: manual configuration, automatic configuration, and dynamic configuration.
The most significant function of DHCP is dynamic allocation. In addition to IP addresses, DHCP packets also provide clients with other configuration information like the subnet mask. This enables clients to automatically configure their network connection without user intervention.
1. DHCP Working Process
Discovery Phase: This is the phase where a DHCP client searches for a DHCP server. The DHCP client uses a broadcast method (as the IP address of the DHCP server is unknown to the client) to send a DHCP discover message to locate a DHCP server by broadcasting to the address 255.255.255.255. Every host on the network with the TCP/IP protocol installed will receive this broadcast, but only DHCP servers will respond.
Offer Phase: This is the phase where the DHCP server offers an IP address. Each DHCP server that receives the DHCP discover message responds by selecting an unused IP address to allocate to the DHCP client and sends a DHCP offer message containing the leased IP address and other settings.
Selection Phase: This is the phase where the DHCP client selects an IP address offered by a DHCP server. If multiple DHCP servers send DHCP offer messages, the DHCP client only accepts the first DHCP offer received. It then responds with a DHCP request message by broadcast, requesting the IP address from the DHCP server it selected. Broadcasting this response serves to inform all DHCP servers of the selected IP address.
Acknowledgment Phase: This is the phase where the DHCP server confirms the provided IP address. Once the DHCP server receives the DHCP request message from the client, it sends a DHCP ACK message, containing the provided IP address and other settings, informing the client that it can use the provided IP address. The DHCP client then binds the IP address with its network card. Additionally, other DHCP servers will retract their offered IP addresses.
Re-login: When a DHCP client re-logs into the network, it sends a DHCP request message containing the previously assigned IP address, rather than broadcasting a DHCP discover message. Upon receiving this message, the DHCP server attempts to allow the client to continue using the old IP address and sends a DHCP ACK message. If the IP address is no longer available (e.g., it has been allocated to another DHCP client), the server responds with a DHCP NACK message. The client must then send a new DHCP discover message to request a new IP address.
Lease Renewal: The IP address leased to the DHCP client by the server typically has a lease period after which the server reclaims the IP address. To extend the IP lease, the client must renew it. At startup and halfway through the lease, the client automatically sends a lease renewal message to the DHCP server.
2. DHCP Message Format
Letâs introduce the DHCP message format, as shown in Figure 1.
- OP: Set to 1 if the packet is from the client to the server, reversed for 2;
- Htype: Hardware type, ethernet is 1;
- Hlen: Hardware length, ethernet is 6;
- Hops: If the packet needs to be forwarded by a router, increment by 1; within the same subnet, itâs 0;
- Transaction ID: A random number used to match requests and responses between client and server;
- Seconds: The time specified by the user indicating the elapsed time since starting address acquisition and update;
- Flags: From 0-15 bits, the most significant bit set to 1 indicates the server will broadcast the packet back to the client, while other bits are unused;
- Ciaddr: Client IP address;
- Yiaddr: Client IP assigned by the server;
- Siaddr: IP address for bootstrap processes;
- Giaddr: Relay agent (gateway) IP address;
- Chaddr: Clientâs hardware address;
- Sname: Optional serverâs name, ending with 0x00;
- File: Boot filename;
- Options: Vendor-specific, optional parameter fields.
2. Decoding Information
In the DHCP working process, there are four types of messages (DHCPDISCOVERY, DHCPOFFER, DHCPREQUEST, DHCPACK) exchanged to obtain configuration information. Letâs explore the decoded contents of these four messages:
1. Discovery Phase
Capture the DHCP DISCOVERY packet using the Colasoft Network Analyzer, as shown in Figure 2,
(Figure 2 DHCP DISCOVERY packet decoding)
From Figure 2, we can see the decoding information of a DHCP DISCOVERY packet. DHCP is an extension of BOOTP and is compatible with it, so we can see the decoding of both BOOTP and DHCP.
2. Offer Phase
Capture the DHCP OFFER packet using the Colasoft Network Analyzer, as shown in Figure 3,
(Figure 3 DHCP OFFER packet decoding)
3. Selection Phase
Capture the DHCP REQUEST packet using the Colasoft Network Analyzer, as shown in Figure 4,
(Figure 4 DHCP REQUEST packet decoding)
4. Acknowledgment Phase
Capture the DHCP ACK packet using the Colasoft Network Analyzer, as shown in Figure 5,
(Figure 5 DHCP ACK packet decoding)
The above are the four types of DHCP packets, each with its distinctions.