How DHCP Works // DHCP EXPLAINED

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right so dhcp is a very important protocol our devices use it in and out all day every day and everything is great until something goes wrong so let's go ahead and take a look at how dhcp works and what to look for when we're troubleshooting it okay so you can follow along with the pcap in the description down below go down there download it and you can follow right along so let's keep dhcp simple it's really just four packets and you can see them here on my screen so discover offer request acknowledge super simple but let's go and break them down and look at the function of each step in the dhcp process first when a machine wakes up on the network it just opens its eyes it establishes link state but it doesn't yet have an ip address it also doesn't know what network it's on it doesn't know who its gateway is its dns server or any other information that it may need in order to operate and that's the purpose behind dhcp to give it that configuration that it needs to start working on the network so in this first packet we can see that in play if i take a look at packet number one notice at layer two this is an ethernet two encapsulation if i just expand this out this is going out to a broadcast so this station it woke up it's sending this out everywhere okay this is type ipv4 let's go ahead and take a look at the next layer protocol and the ip information this is being sent from zero zero zero zero i don't yet have an ip address i don't have a name i don't know who i am give me a name next destination address so this is being sent out to a true layer 3 broadcast address hey out there i'm looking for a dhcp server that can help me get going and get operating on this network okay next the udp layer so dhcp operates over udp the source port the client side is going to use port 68 the server side is port 67. okay and the rest is pretty standard udp stuff length checksum and so on all right but now let's actually take a look at the dhcp information so in our packet here we can see that the message type is a boot request uh really there's only two message types that you can have either a request or reply if i come down here there's ethernet so this is telling about the hardware type that i'm using at layer two if i come down here it's a transaction id so this transaction id is just a random number that the client selects in order to identify the dhc process that it's using if you take a look on the top you can see that that same transaction id is copied back to me by the server it's again used in the request and then the final acknowledgement so that's how i can link all of this together as being a part of the same dhcp transaction down here boot flags let's open that up and take a look so with dhcp originally devices were configured using the bootstrap protocol so sometimes you'll see that kind of sticking around boot p but for now almost everything uses the actual dhcp process we'll talk a bit more about that in just a minute so with this flag what we're doing is we're telling the server hey if you want to hit me back with that offer you can just unicast it back to me i'll accept that uh alternatively i could say go ahead and broadcast it back and in that case the response the offer and the ack would both be broadcasted and i would be able to pick those up and use them okay so let's go up and click discover okay so now let's go and take a look at some of these other options so client ip address hey it's all zeros i don't know next server ip address how am i supposed to know about a server on this network if i haven't been here yet and relay agent look that's again not my job here i'm just a client trying to get an address with dhcp keep in mind this discover is broadcasted so it may be that my routers or network infrastructure has to take this broadcast and send it off to a true dhcp server that it knows about in that case that router would be known as a relay agent so by the time this discover actually makes it to the server that router would insert its ip address here in this field so that the server knows that this was sent by a relay but in that initial discover especially when we're capturing client side a lot of times you're gonna see zero here now client mac address this is basically all the client knows about itself is its own mac it's like it woke up and it looks at its arm and it sees a tattoo of its mac address okay so it's able to offer that to the server so that it can be uniquely identified when an address is assigned to it okay continuing down magic cookie it's just a number you're going to see in every single packet that's dhcp what this does is it basically differentiates between boot p and dhcp because up until this point they're very similar but here we're saying no magic cookie is dhcp now the rest of the dhcp options are going to follow all right so let's take a look at some of the options that the client is requesting here so the option the type of dhcp message is that type one so this is a discover that's why we see discover up here with wireshark next we can see the option requested address so historically or before in the recent past this client was using an address on this network so what it does is it says hey server if you still have this one available this is an address that i would like to request from you next we're sharing what our host name is and here kali linux 2021-3 and then last this is what you really want to look at when you're checking out a dhcp discover this is a list of all the stuff that the client would like to have back from dhcp so some of it's very important for me i want to see a subnet mask i want to see a router i need dns without those basic ones i'm not going to be able to go very far but you also see some other interesting ones time offset a host name interface mtu classless static route network time protocol servers so there's other configurations that i could request from dhcp and it's possible that we could configure these things with our endpoints using dhcp that's how we can get those extra parameters out to those endpoints all right so that was our discover that gets broadcasted out and if a relay is involved it'll be relayed to the true dhcp server but now let's go ahead and take a look at the offer that comes back so let's look at that second packet so we can see here let's go ahead and start at the top so this is unicasted and the server is basically saying hey you told me to unicast it back to you on dot four so here you go here's i'm using this address and we can see the udp ports port 67 to 68 basically those flipped okay now to the fun stuff in dhcp i'm going to go ahead and minimize my hexadecimal view down here so boot reply this is that two right so in the first packet it was one so now it's a two and if i come down here i can see client ip address so your client ip address is the address that i'm gonna use for you mr client this is 55.4 the server ip address that it's coming from 55.1 and then that client mac address identifier so the server basically said hey here's an offer for you and here's the address here's identifying myself 55.1 here's the lease time this is how long you can use this address for here's your subnet mask here's your router ip here's your dns and domain name local domain here's a host name that you told me about and then we're going to end our options now notice that the server didn't give us everything that we asked for ntp or that interface mtu but it did give us some basic parameters that we need to get up and get rolling now with dhcp you can get more than one offer if i send out a discover i'm discovering the dhcp servers it could be that i could get three different offers at this point now i'm going to formally request the one that i choose and i'm going to identify the server that it came from all right so let's see how that happens in the next packet all right so dhcp request this is broadcasted at layer 2 and layer 3. so if i had several offers come in basically i'm implying hey i'm not picking all you other guys i'm picking if i come down to the dhcp come down into my options down here server identifier this is what i'm saying i'm officially requesting this address from this server this is the address here's my name and by the way i'm going to repeat my option request down here in those parameters just in case there's some extra parameters that that server might give me once i actually formally do that request to that server okay so let's see what happens in our fourth packet finally that ack acts coming back unicasted and formally the server says okay acknowledge i'm the server that it came from here's my ip address here's how long your lease time is again here's your subnet mask your router your dns and some other basic stuff so dhcp really is that simple it's four packets discover offer request and acknowledge now here's a few things that you might want to watch for as far as troubleshooting dhcp watch for several offers coming back it could be in your environment you're using a known dhcp server and what if you see after your discovers that you're getting several offers from other servers that you don't know about that you didn't authorize it could be that an attacker is trying to trick you into using their dhcp service and of course taking you off in a whole different direction also i want to watch for one station sending out a lot of different discovers if it's saying discover discover discover discover it could be that it's trying to exhaust my dhcp pool because a dhcp server is only going to have a limited number of ip addresses that it's going to offer per subnet so a bad guy could ask for all of those addresses and exhaust my dhcp pool but for the general function of dhcp hopefully that made sense discover offer request acknowledge this is how dhcp works and how we can look at it in wireshark thanks for watching i'll see you again

Info

Channel: Chris Greer

Views: 15,767

Rating: undefined out of 5

Keywords: intro to wireshark, wireshark, chris greer, free wireshark training, wireshark for beginners, wireshark tutorial, packet analysis, ccna, protocol analysis, wireshark training, packet capture, wireshark training 2022, dhcp, dynamic host configuration protocol, dhcp explained, dhcp configuration, dhcp relay, dhcp problems, multiple dhcp offers, dhcp discover, dhcp offer, dhcp request, dhcp ack, how dhcp works, what is dhcp

Id: Cy0M54GSpBg

Channel Id: undefined

Length: 9min 56sec (596 seconds)

Published: Thu Apr 07 2022