Analyzing DHCP Messages
The DHCP messages
exchanged in the various stages of a lease process can be seen and
analyzed in Network Monitor captures. This section describes the
structure of individual DHCP messages so that they can be recognized
within a larger pattern of exchanges between DHCP clients and servers.
Figure 2
illustrates the general structure of a DHCP frame. As shown in the
figure, the header is made up of 15 sections, including a
variable-length Options section. The DHCP message type is distinguished
by Option 53, which is required for use in all DHCP messages.
Table 1 shows the values
of each of these fields.
Table 1. DHCP Header Fields
| Field | Description |
|---|
| Message Type (Op) | The message type. |
| Hardware Address Type
(Htype) | The hardware address type, as defined in
the Address Resolution Protocol (ARP) section of Request for Comments
(RFC) 1700 (for example, 0x1 means 10 MB Ethernet). |
| Hardware Address Length
(Hlen) | The hardware address length, in octets (for example,
0x6 for a traditional 6-byte Ethernet address). |
| Hops (Hops) | The signal that determines whether the message has
originated on a remote subnet. Incremented by DHCP relay agents and RFC
1542–compliant routers. |
| Transaction ID (Xid) | A
random number used to denote a conversation between a DHCP client and a
DHCP server (for example, a lease acquisition). |
| Seconds (Secs) | The
number of seconds elapsed since the DHCP Client service commenced the
address acquisition process. Filled in by the DHCP client. |
| Flags
(Flags) | The flags set by the client. In RFC 2131, the
Broadcast flag is the only flag defined. A DHCP client that can’t
receive unicast IP datagrams until it has been configured with an IP
address sets this Broadcast flag. |
| Client IP Address (Ciaddr) | The
DHCP client address. Zero, unless the client already has an IP address
and can respond to ARP requests. |
| Your IP Address (Yiaddr) | The
address given by the DHCP server to the DHCP client. |
| DHCP Server IP Address
(Siaddr) | The IP address of the DHCP server that’s offering a
lease (returned by DHCP Offer). |
| Relay (Gateway) IP Address (Giaddr) | The
DHCP relay agent or RFC 1542–compliant router IP address, used when
booting using a DHCP relay agent or RFC 1542–compliant router. |
| Client Hardware Address
(Chaddr) | The
client hardware address. |
| Server Host Name (Sname) | A
64-byte field reserved for the server host name. Not used in Windows XP
or Windows Server 2003. |
| Boot File Name (File) | The
name of the file containing a boot image for a Boot Protocol (BOOTP)
client. |
| Options
(Options) | A variable-length set of fields containing
DHCP options. Option 53 is required in every DHCP message and describes
the message type. Other commonly used options include Lease Renewal Time
and Lease Rebinding Time. |
DHCP Discover
The following listing
is an excerpt from a Network Monitor capture showing the IP and DHCP
portions of a DHCP Discover packet. In the IP section, you can see the
destination address is 255.255.255.255 (broadcast) and the source
address is 0.0.0.0. The DHCP section identifies the packet as a Discover
message and identifies the client in two places by using the physical
address of the network card. Note that the values in the DHCP: Client
Ethernet Address (Chaddr) field and the DHCP: Client Identifier field
are identical.
IP: ID = 0x0; Proto = UDP; Len: 328
IP: Version = 4 (0x4)
IP: Header Length = 20 (0x14)
IP: Service Type = 0 (0x0)
IP: Precedence = Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: Total Length = 328 (0x148)
IP: Identification = 0 (0x0)
IP: Flags Summary = 0 (0x0)
IP: .......0 = Last fragment in datagram
IP: ......0. = May fragment datagram if necessary
IP: Fragment Offset = 0 (0x0) bytes
IP: Time to Live = 128 (0x80)
IP: Protocol = UDP - User Datagram
IP: Checksum = 0x39A6
IP: Source Address = 0.0.0.0
IP: Destination Address = 255.255.255.255
IP: Data: Number of data bytes remaining = 308 (0x0134)
DHCP: Discover (xid=21274A1D)
DHCP: Op Code (op) = 1 (0x1)
DHCP: Hardware Type (htype) = 1 (0x1) 10Mb Ethernet
DHCP: Hardware Address Length (hlen) = 6 (0x6)
DHCP: Hops (hops) = 0 (0x0)
DHCP: Transaction ID (xid) = 556223005 (0x21274A1D)
DHCP: Seconds (secs) = 0 (0x0)
DHCP: Flags (flags) = 0 (0x0)
DHCP: 0............... = No Broadcast
DHCP: Client IP Address (ciaddr) = 0.0.0.0
DHCP: Your IP Address (yiaddr) = 0.0.0.0
DHCP: Server IP Address (siaddr) = 0.0.0.0
DHCP: Relay IP Address (giaddr) = 0.0.0.0
DHCP: Client Ethernet Address (chaddr) = 08002B2ED85E
DHCP: Server Host Name (sname) = <Blank>
DHCP: Boot File Name (file) = <Blank>
DHCP: Magic Cookie = [OK]
DHCP: Option Field (options)
DHCP: DHCP: DHCP Message Type = DHCP Discover
DHCP: Client-identifier = (Type: 1) 08 00 2b 2e d8 5e
DHCP: Host Name = CLIENT1
DHCP: Parameter Request List = (Length: 7) 01 0f 03 2c 2e 2f 06
DHCP: End of this option field
