DHCP is used to get the IP address for the client from the server. DHCP means Dynamic Host Configuration Protocol. There are some basic packets exchanges to get the IP address. We sometimes call these packets exchanges as the DORA process:
Let us understand all these frames in Wireshark. Once we open the DHCP frame exchanges in Wireshark, the“bootp” filter can be used to see all the DHCP-related frames.
1. DHCP Discover
DHCP discover is the first frame that is sent by the client as a broadcast to all available servers.
Refer to the following screenshot. See the marked area for important fields.
List of Important Fields from the DHCP Discover Frame:
- Message type: Boot Request (1)
- Transaction ID: 0x3e5e0ce3
- Client IP address: 0.0.0.0
- Your (client) IP address: 0.0.0.0
- Next server IP address: 0.0.0.0
- Relay agent IP address: 0.0.0.0
- Client MAC address: 00:08:74:4f:36:23
- Magic cookie: DHCP
- Option: (53) DHCP Message Type (Discover)
- Option: (50) Requested IP Address (192.168.1.101)
2. DHCP Offer
Refer to the following screenshot. See the marked area for important fields.
This frame is sent by the server(s) to the client with many details. Now, the client can choose the IP address if it gets multiple DHCP offer.
List of Important Fields from the DHCP Offer Frame:
- Dynamic Host Configuration Protocol (Offer)
- Transaction ID: 0x3e5e0ce3
- Bootp flags: 0x0000 (Unicast)
- Client IP address: 0.0.0.0
- Your (client) IP address: 192.168.1.101
- Next server IP address: 0.0.0.0
- Relay agent IP address: 0.0.0.0
- Client MAC address: 00:08:74:4f:36:23
- Magic cookie: DHCP
- DHCP: Offer (2)
- Option: (1) Subnet Mask (255.255.255.0)
- Subnet Mask: 255.255.255.0
- Router: 192.168.1.1
- Domain Name Server: 63.240.76.19
- Domain Name Server: 204.127.198.19
- Domain Name: ne2.client2.attbi.com
- IP Address Lease Time: (86400s) 1 day
- DHCP Server Identifier: 192.168.1.1
3. DHCP Request
Refer to the following screenshot. See the marked area for important fields.
This frame is sent by the client to the particular server confirming the IP address. It can also request for some more details from the server.
List of Important Fields from the DHCP Request Frame:
- Dynamic Host Configuration Protocol (Request)
- Transaction ID: 0x3e5e0ce3
- Seconds elapsed: 0
- Client IP address: 0.0.0.0
- Your (client) IP address: 0.0.0.0
- Next server IP address: 0.0.0.0
- Relay agent IP address: 0.0.0.0
- Client MAC address: 00:08:74:4f:36:23
- Client hardware address padding: 00000000000000000000
- Magic cookie: DHCP
- DHCP: Request (3)
- Client MAC address: 00:08:74:4f:36:23
- Requested IP Address: 192.168.1.101
- DHCP Server Identifier: 192.168.1.1
- Host Name: Noho
4. DHCP ACK
Here is the screenshot of the DCHP ack. See the marked area for important fields.
This is the last frame of the DORA process. It is sent by the server as an acknowledgement.
List of Important Fields from the DHCP Ack Frame:
- Dynamic Host Configuration Protocol (ACK)
- Transaction ID: 0x3e5e0ce3
- Your (client) IP address: 192.168.1.101
- Next server IP address: 0.0.0.0
- Relay agent IP address: 0.0.0.0
- Client MAC address: 00:08:74:4f:36:23
- Magic cookie: DHCP
- DHCP: ACK (5)
- Subnet Mask: 255.255.255.0
- Router: 192.168.1.1
- Domain Name Server: 63.240.76.19
- Domain Name Server: 204.127.198.19
- Domain Name: ne2.client2.attbi.com
- IP Address Lease Time: (86400s) 1 day
- DHCP Server Identifier: 192.168.1.1
DHCP Renewal Process
After the DHCP lease time, the client has to send the DHCP renewal frame to get the IP address. There are two frame exchanges that happens during the DHCP renewal process:
1. DHCP Request
The DHCP request frame is the same as the normal DHCP request frame but the client IP address field should have the client’s current IP. This is because the client is already having one IP address and it can renew the same IP address. This considered as a unicast frame.
2. DHCP ACK
This frame is just an ACK of the DHCP request frame. This is a broadcast frame.
The following screenshot shows these two frame exchanges:
Conclusion
We learned from this article about some basic frame exchanges about the DHCP protocol and their important fields in Wireshark. For a deeper understanding, we can go through the shared RFC link. The protocol standard for DHCP is found in https://tools.ietf.org/html/rfc2131.