Systems and Network Management DHCP and tcpdump 1 Background The format of dhcp packets was established with rfc 951 for the bootstrap protocol, or bootp. dhcp was made to be backwardly compatible with the bootp protocol so that the infrastructure of bootp relay agents on routers would not need to be replaced. The dhcp extensions to bootp are bootp options. Figure 1 shows the arrangement of the fields in the dhcp message, while table 1 on the next page gives a description of each one. See The DHCP Handbook (Second Edition), Ralph Droms and Ted Lemon, Sams, October 2002. A copy is available in the library Reserved Collection for a one day loan period, call number TK 5105.585 .D766 2003. There is also a second copy on the shelves. Also rfc 2131 and 2132 are quite well written, and are quite easy to read. 0 op secs claddr siaddr giaddr chaddr (16 bytes) sname (64 bytes) file (128 bytes) options (variable size) Figure 1: The fields in the fixed-format section of a dhcp message. 78 15 16 htype xid flags hlen 23 24 31 hops 2 tcpdump and DHCP The manual page for the current version of tcpdump (version 3.7.1; an rpm is available from our server) unfortunately does not explain the detail of all the fields in the dhcp protocol. To understand them all, it is necessary to look at the source. Here is my summary after reading ∼/RPM/BUILD/tcpdump-3.7.1/tcpdump-3.7.1/print-bootp.c. I have put a copy of this source file on the subject site. Table 2 on the next page shows how tcpdump displays the dhcp fields listed in table 1 on the following page. Table 3 on page 3 shows how tcpdump shows the dhcp options. Note that many of these are essential for dhcp, for example, the dhcp message type, which is optional only for the old bootp protocol. Some other information will be provided by tcpdump that is not directly concerned with dhcp: for example, a packet with the ip don’t fragment flag is marked with a trailing (DF). Nick Urbanik ver. 1.3 DHCP and tcpdump Systems and Network Management 2 Field op htype hlen hops xid secs flags Description Message operation code: 1 in message from client, 2 in message from server Link-layer address type from rfc 1700. For Ethernet, htype is 1. Link-layer address length, in bytes. (number of bytes in chaddr field) Number of relay agents that have forwarded this message. Transaction identifier ; used by clients to match responses from servers with previously transmitted requests. Number of seconds since client began dhcp transaction Least significant bit is set to 1 to indicate messages to client must be broadcast ciaddr Client’s ip address, set by client after reaches BOUND state (i.e., address is valid) yiaddr Client’s ip address, set by server to inform client of its address (“your” ip address) siaddr ip address of the next server for the client to use (i.e., for the client to download an operating system kernel using tftp) giaddr Relay agent (or “gateway”) ip address: relay agent fills this in with the address of the interface through which it received the dhcp message chaddr Client’s link layer address (i.e., on our lan, the Ethernet address) sname file Name of the next server for client to use in the configuration process filename the client should request from the next server (i.e., an operating system kernel, or kickstart file) Table 1: dhcp Message fields; see figure 1 on the preceding page for the arrangement of these fields in a dhcp message. Field htype hops xid secs flags ciaddr yiaddr siaddr giaddr chaddr sname file Format in tcpdump htype-# length hops: hops xid:0x 32-bit hex ID secs: seconds flags:0x hex digits C: IP address Y: IP address S: IP address G: IP address ether MAC address file " filename " Short Description length of link-layer address, bytes number of relay agents transaction id seconds since session started lsb is broadcast flag Client’s ip address ‘your’ ip address (bootp client) Server’s ip address Gateway’s ip address Ethernet address file name to download sname " servername " name of next server Table 2: How tcpdump represents some of the fixed dhcp fields. See table 1 for more details of each field. Nick Urbanik ver. 1.3 DHCP and tcpdump Systems and Network Management 3 Format in tcpdump SM: dotted quad IP CID: client ID Short Description Subnet mask (as an ip address) Client id; may be an Ethernet address, or an identifier string provided by client. Examples: CID:"cisco-0008.e3aa.3ac0-VL1"[len 25] and one with an Ethernet client id: CID:[ether]00:08:02:40:4e:c5 Server id Default gateway, ip address Network Time Protocol server, ip address Name servers, ip addresses Host name Domain name Vendor Class (variable length ascii string). Some examples: VC:"Linux 2.4.18-3 i686", VC:"Linux 2.4.18-6mdk i686", VC:"MSFT 98", VC:"MSFT 5.0", VC:"Hewlett-Packard JetDirect" SID: name or IP DG: name or IP NTP: name or IP NS: server ,... HN:" host name " DN:" domain name " VC:" class " PR: option + option ... Parameter Request—for the parameters that are listed in the request WNS: name or IP ,... WNT WSC RD SR VO MSZ: integer FQDN wins (netbios) name server, ip address netbios node netbios scope, ascii string Perform Router Discovery, binary value Static Route, a list of ip address pairs: address of destination, address of router. But useless in cidr Vendor Options — period-separated decimal bytes (variable length) Maximum Message size (16 bit short integer) Fully-qualified domain name; a request from client to server to use a particular fqdn. Server only responds to this, and does not send unless requested by client. Format is: first byte is flags, used to indicate state of negotiation. Actual name begins at the fourth byte. Lease time Renewal time (T 1) Rebinding time (T 2) LT: seconds RN: seconds RB: seconds Table 3: How tcpdump represents various dhcp options. Nick Urbanik ver. 1.3 DHCP and tcpdump Systems and Network Management DHCPREQUEST/ DHCPNAK INIT−REBOOT broadcast Boot before lease expires 4 INIT Boot after lease expires DHCPDISCOVER/ DHCPOFFER broadcast No response from server, lease expired Has been offered an address SELECTING DHCPACK broadcast REBINDING At T2, begin broadcasting requests to all DHCP servers DHCPREQUEST/ DHCPACK client request broadcast DHCPACK unicast DHCPREQUEST/ DHCPACK broadcast server response broadcast DHCPREQUEST BOUND Has IP address DHCPREQUEST unicast RENEWING At T1, renew using unicasts Figure 2: A state diagram showing states of a dhcp client. Note that T is the lease time, T 1 = T , T 2 = 7T . See also table 4 from the dhcp rfc 2131 (available in full 2 8 at /home/nfs/ietf/rcf/rfc2131.txt), which sumarises dhcp messages. Message Use tcpdump DHCP:DISCOVER DHCP:OFFER DHCP:REQUEST DHCPDISCOVER — Client broadcast to locate available servers. DHCPOFFER DHCPREQUEST — Server to client in response to DHCPDISCOVER with offer of configuration parameters. — Client message to servers either (a) requesting offered parameters from one server and implicitly declining offers from all others, (b) confirming correctness of previously allocated address after, e.g., system reboot, or (c) extending the lease on a particular network address. — Server to client with configuration parameters, including committed network address. — Server to client indicating client’s notion of network address is incorrect (e.g., client has moved to new subnet) or client’s lease as expired — Client to server indicating network address is already in use. — Client to server relinquishing network address and cancelling remaining lease. — Client to server, asking only for local configuration parameters; client already has externally configured network address. DHCPACK DHCPNAK DHCP:ACK DHCP:NACK DHCPDECLINE DHCPRELEASE DHCPINFORM DHCP:DECLINE DHCP:RELEASE DHCP:INFORM Table 4: DHCP Messages: this is “table 2” from rfc 2131; the rfc is available in full from ictlab at /home/nfs/ietf/rcf/rfc2131.txt. Nick Urbanik ver. 1.3