Mastering Wireshark 2 : DHCP Analysis

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to section 8 application protocol analysis 1 in this section we're gonna take a look at DHCP analysis we're going to investigate how a computer gets an IP address as well as other fields and data HTTP analysis which we use everyday browsing the internet very common thing to have to investigate and FTP analysis including the different secure versions of FTP this is video 8.1 DHCP analysis in this video we're going to take a look at how DHCP works some of the fields that are within the DHCP protocol watch a client retrieve an IP address and really take a look at what happens with DHCP when a client requests for an address and receives responses so as usual let's start a packet capture and what I'm going to do is release the address on my computer here and then renew it what we can do is with IP config slash release on a Windows computer we can release our address and then if we do IP config slash renew it will get us a new address now if we take a look he config slash all we should be able to see our address is assigned very good and will stop our capture and of course with our packet capture here we're going to want to only pick out the DHCP traffic so you would assume you could go up to the display filter and type DHCP just like we've done for the other protocols and just push enter and it works but we see that there's a red bar up there DHCP is not valid now why is that because the display filter is actually boot P DHCP is based off of bootp bootp was the predecessor protocol to DHCP so in Wireshark they use the predecessors protocols filter so you want to use bootp so these bootp will see that we have our DHCP release and discover so this first packet here is the release so my system already had an IP address and it wanted to get rid of it so it sent a packet to the DHCP server which is 77.1 here and it said please get rid of my address and if we look into our DHCP details here you see it says bootstrap protocol that's where bootp comes from and we scroll down to the bottom you see options and if you look at option 53 it says we have a release so that's where it's requesting to get rid of its address the system then at that point has no address and the local client erases the IP address from its information on the network interface card then after that I initiated the DHCP renew command which told it to go get an address now I did this because my system had already been up and had already retrieved a DHCP address on boot before I did my video capture commonly a system will retrieve IP information and other configuration options from a DHCP server on boot of the operating system but since my system had already had an address I had to get rid of it and then forcibly tell it to get a new one with that flash renew command when a system requests for an address it initiates with a discover request and you can see that the discover which down here we have option 53 discover it sent it out to a broadcast all 255 s that's because the client doesn't have an IP address you see it has 0 0 0 0 as its source it doesn't know where it needs to go to go talk to the DHCP server so it sends it out to a broadcast address hoping that anybody will respond to its request for a DHCP server and so what that is is the discover packet is asking for a DHCP server it says I'm trying to discover a server if you have multiple servers on a subnet it you may get a different server offering itself from time to time that can cause problems sometimes depending on your network design if you have a simple network such as a home network and you have two DHCP servers most likely one of those is by accident and you can have that problem when people bring in home wireless routers or something like that into a workplace and they don't turn off the DHCP server it can cause problems like this so looking for offer packets sometimes is useful in packet captures because you may not necessarily want to see them that that may be a bad thing if you happen to see offers from a server address that doesn't make any sense according to your network design then that's a red flag and you can of course right click on the offer and select that as a filter so that you can filter all of your packet captures off of based off of just the offer you see that we've only pulled out the offers here so if we had a whole bunch of offers from a bunch of different servers that could be a problem if we go back to our standard bootp filter you'll see after the offer where the server is now responding to our broadcast that says yes I am a DHCP server you can use me I then send out for my client a request and you can see down here in the options that I'm actually requesting a specific address now this you would not normally see on a new system that just booted up but because my system here the client already knew that it had a previous address it kept that information saved even though it was not configured in the network card it requested that specific address to renew it and put it back into its configuration you can see that it also knows now the server so it sends it out to the server but it doesn't come from a layer 3 ipv4 address here because it doesn't have one yet it's requesting it so it still sends it out to the broadcast but it says hey server 77.1 please give me 77.1 60 and the server then says yes I acknowledge you and by the way it's ok you're allowed to use that IP address as well as here are some additional information so you're using a 77.1 DHCP server oh and by the way here's how long your leased time is it's good for one day that can be customized here's your subnet mask here's a domain name if applicable here's the router which is your default gateway and here are some DNS servers that you can use and you may see additional options in here these option numbers reflect a whole bunch of different things that you can configure in DHCP it's not just for IP addresses you'll see this commonly used with voice over IP phones because you can pass different options such as option 43 they actually tell it what VLAN it needs to belong to and force it to the other VLAN and then you can also tell it where the TFTP server is to retrieve firmware information all sorts of different things that you can send to a device to automatically configure it that's why they call it the dynamic host configuration protocol it's not just for IP if you want to learn more about it you can of course take a look at the RFC the RFC for DHCP remember this is the upgraded version of bootp is 2131 and you see it's quite a lengthy document there's quite a bit in here and it goes through a lot of the functionality DHCP now it will not include every single option and every single thing you can configure because some of them are vendor specific and of course the HCP has been extended since 1997 with additional added on features then our next two packets we see DHCP inform and these are requests from my client now that it has its layer three ipv4 address it's now requesting from the server additional parameters and you can see them listed down here here's the additional parameters at once it's looking for static routes any NetBIOS information any additional vendor specific information that option 43 I was talking about anything like that it's requesting from the server and if it happens to have it then the server would respond and say yes by the way I have the following additional information for you so that's the basics of DHCP it's a very simple protocol a little bit more complex than DNS but still relatively simple very useful there is a ipv6 version of DHCP and as well as many other ways of addressing ipv6 hosts up next we're going to take a look at HTTP in HTTP analysis one

Info

Channel: James Aguilar

Views: 4,939

Rating: 5 out of 5

Keywords: udemy, udemy course, online tutorial, online learning, udemy review, udemy coupon, udemy voucher, udemy discount

Id: CPKIZUjyS7s

Channel Id: undefined

Length: 9min 41sec (581 seconds)

Published: Wed Sep 26 2018