DHCP數(shù)據(jù)抓包分析–wireshark

DHCP-(Dynamic Host Configuration Procotol，動態(tài)主機(jī)配置協(xié)議)，是一個局域網(wǎng)的網(wǎng)絡(luò)協(xié)議，主要用于給內(nèi)部網(wǎng)絡(luò)或網(wǎng)絡(luò)服務(wù)供應(yīng)商自動分匹配IP地址。屬于TCP/IP協(xié)議，使用UDP進(jìn)行工作。

DHCP有三個端口，其中UDP67和UDP68為正常的DHCP服務(wù)端口，分別為DHCP Server和DHCP Client的服務(wù)窗口，546號端口用于DHCPv6 Client，而不是DHCPv4，是因?yàn)镈HCP failover服務(wù)。該服務(wù)是需要特別開啟的服務(wù)，用于做雙擊熱備份。

作用

• 保證任何統(tǒng)一時刻，同一局域網(wǎng)內(nèi)只能由一臺DHCP客戶機(jī)所使用

• DHCP可以給用戶分配永久固定的IP地址

• DHCP允許用其他方法獲得IP地址的主機(jī)共存，如手動配置IP地址

• DHCP服務(wù)器向所有的BOOTP客戶端提供服務(wù)

DHCP的三種地址分配方式

自動分配：DHCP服務(wù)器給客戶端分配永久性的IP地址

動態(tài)分配：DHCP給客戶端分配的IP地址過一段時間之后會過期，或者客戶端可以主動釋放該地址

手動配置：由用戶手動為客戶端指定IP地址

DHCP工作流程

發(fā)現(xiàn)階段，即DHCP客戶端尋找DHCP服務(wù)器的階段。DHCP客戶端以廣播的方式發(fā)送DHCP Discover包，來尋找DHCP服務(wù)器，即向地址255.255.255.255發(fā)送廣播信息，網(wǎng)絡(luò)上所有裝有TCP/IP協(xié)議的主機(jī)都會接收到該廣播信息，但是只有DHCP服務(wù)器才會做出響應(yīng)。

提供階段：DHCP服務(wù)器提供地址的階段，所有接收到請求的服務(wù)器都會從地址池中選一個IP地址給客戶端。

選擇階段：即DHCP從接收到的所有DHCP提供的IP地址中選擇一個IP地址的過程，廣播方式傳輸，這樣所有DHCP服務(wù)器就直到了他選擇了哪個DHCP服務(wù)器提供的地址。

確認(rèn)階段：即DHCP服務(wù)器確認(rèn)所提供的IP地址階段。當(dāng)DHCP服務(wù)器收到客戶端發(fā)送的DHCP Request請求信息之后，便向DHCP客戶端發(fā)送一個包含所提供的IP地址和其他設(shè)置的DHCP Ack

在Linux上抓DHCP報(bào)文

開啟wireshark開始抓包，然后在命令行上使用以下命令重新獲取IP地址

# 釋放對應(yīng)網(wǎng)卡上的IP地址 $ sudo dhclient -r wlp4s0 # 指定網(wǎng)卡使用`DHCP`獲取IP地址 $ sudo dhclient wlp4s0

或者在簡單點(diǎn),但是這樣做需要足夠快，因?yàn)榫W(wǎng)卡禁用之后就無法使用wireshark進(jìn)行抓包了，所以需要拉網(wǎng)同的同時趕快開始抓包，能不能抓到就看手速了 😹

# 下網(wǎng)卡 ifconfig wlp4s0 down # 上網(wǎng)卡 ifconfig wlp4s0 up

DHCP報(bào)文格式

0 1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| op (1) | htype (1) | hlen (1) | hops (1) |+---------------+---------------+---------------+---------------+| xid (4) |+-------------------------------+-------------------------------+| secs (2) | flags (2) |+-------------------------------+-------------------------------+| ciaddr (4) |+---------------------------------------------------------------+| yiaddr (4) |+---------------------------------------------------------------+| siaddr (4) |+---------------------------------------------------------------+| giaddr (4) |+---------------------------------------------------------------+| || chaddr (16) || || |+---------------------------------------------------------------+| || sname (64) |+---------------------------------------------------------------+| || file (128) |+---------------------------------------------------------------+| || options (variable) |+---------------------------------------------------------------+

• op： 報(bào)文的操作類型，分為請求報(bào)文和響應(yīng)報(bào)文，1請求報(bào)文，2為響應(yīng)報(bào)文，具體的報(bào)文類型在options字段中標(biāo)識
• htype: DHCP客戶端的硬件地址類型1表示是ethernet地址
• hlen: DHCP客戶端的硬件地址長度
• hops: DHCP報(bào)文經(jīng)過的DHCP中繼的數(shù)目。初始為0，報(bào)文每經(jīng)過一個DHCP中繼，該字段就會增加1
• xid: 客戶端發(fā)起一次請求時選擇的隨機(jī)數(shù)，用來標(biāo)識一次地址請求過程
• secs: DHCP客戶端開始DHCP請求后所經(jīng)過的時間，目前未使用，固定為0
• flags: DHCP服務(wù)器相應(yīng)報(bào)文是采用單播還是廣播方式發(fā)送，只使用第0位比特位，0表示采用單播方式，1表示采用廣播方式，其余比特位保留不用
• ciaddr：DHCP客戶端的IP地址
• yiaddr： DHCP服務(wù)器分配給客戶端的IP地址
• siaddr：DHCP客戶端獲取IP地址等信息的服務(wù)器IP地址
• giaddr：DHCP客戶端發(fā)送請求報(bào)文后經(jīng)過的第一個DHCP中繼的IP地址
• chaddr： DHCP客戶端的硬件地址
• sname：DHCP客戶端獲取IP地址等信息的服務(wù)器名稱
• file： DHCP服務(wù)器為DHCP客戶端指定的啟動配置文件名稱及路徑信息。
• options：可選變長字段選項(xiàng)字段，包含報(bào)文的類型、有效租期、DNS服務(wù)器的IP地址和WINS服務(wù)器的IP地址等配置信息。

DHCP報(bào)文類型

? – 來自wireshark數(shù)據(jù)包分析

DHCP報(bào)文類型描述

DHCP Discover	DHCP Discover DHCP客戶端請求地址時，并不知道DHCP服務(wù)器的位置，因此DHCP客戶端會在本地網(wǎng)絡(luò)內(nèi)以廣播方式發(fā)送請求報(bào)文，這個報(bào)文成為Discover報(bào)文，目的是發(fā)現(xiàn)網(wǎng)絡(luò)中的DHCP服務(wù)器，所有收到Discover報(bào)文的DHCP服務(wù)器都會發(fā)送回應(yīng)報(bào)文，DHCP客戶端據(jù)此就可以知道網(wǎng)絡(luò)中存在的DHCP服務(wù)器的位置。
DHCP Offer	DHCP Offer DHCP服務(wù)器收到Discover報(bào)文后，就會在所配置的地址池中查找一個合適的ip地址，加上相應(yīng)的租約期限和其他配置信息（網(wǎng)關(guān)，DNS服務(wù)器等），構(gòu)造一個Offer報(bào)文，發(fā)送給客戶，告知用戶本服務(wù)器可以為其提供IP地址。（只是告訴client可以提供，是預(yù)分配，還需要client通過ARP檢測該IP是否重復(fù)）
DHCP Request	DHCP Request DHCP客戶端會收到很多Offer，所以必須在這些回應(yīng)中選擇一個。Client通常選擇第一個回應(yīng)Offer報(bào)文的服務(wù)器作為自己的目標(biāo)服務(wù)器，并回應(yīng)一個廣播Request報(bào)文，通告選擇的服務(wù)器。DHCP客戶端成功獲取IP地址后，在地址使用租期過去1/2時，會向DHCP服務(wù)器發(fā)送單播Request報(bào)文續(xù)延租期，如果沒有收到DHCP ACK報(bào)文，在租期過去3/4時，發(fā)送廣播Request報(bào)文續(xù)延租期。
DHCP ACK	DHCP ACK DHCP服務(wù)器收到Request報(bào)文后，根據(jù)Request報(bào)文中攜帶的用戶MAC來查找有沒有相應(yīng)的續(xù)約記錄，如果有則發(fā)送ACK報(bào)文作為回應(yīng)，通知用戶可以使用分配的ip地址
DHCP NAK	DHCP NAK 如果DHCP服務(wù)器收到Request報(bào)文后，沒有發(fā)現(xiàn)相應(yīng)的租約記錄或者由于某些原因無法正常分配ip地址，則發(fā)送ACK報(bào)文作為回應(yīng)，通知用戶無法分配合適的ip地址。
DHCP Release	DHCP Release 當(dāng)用戶不在需要使用分配ip地址時，就會向DHCP服務(wù)器發(fā)送Release報(bào)文，告知服務(wù)器用戶不再需要分配ip地址，DHCP服務(wù)器會釋放被綁定的租約。
DHCP Decline	DHCP Decline DHCP客戶端收到DHCP服務(wù)器回應(yīng)的ACK報(bào)文后，通過地址沖突檢測發(fā)現(xiàn)服務(wù)器分配的地址沖突或者由于其他原因?qū)е虏荒苁褂?#xff0c;則發(fā)送Decline報(bào)文，通知服務(wù)器所分配的ip地址不可用。
DHCP Inform	DHCP Inform DHCP客戶端如果需要從DHCP服務(wù)器端獲取更為詳細(xì)的配置信息，則發(fā)送Inform報(bào)文向服務(wù)器進(jìn)行請求，服務(wù)器收到該報(bào)文后，將根據(jù)租約進(jìn)行查找，找到相應(yīng)的配置信息后，發(fā)送ACK報(bào)文回應(yīng)DHCP客戶端（極少用到）。

以下是整個DHCP正常交互的過程

# 1. 首先發(fā)送 發(fā)現(xiàn)包 Frame 68: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface wlp4s0, id 0 # ff:ff:ff:ff:ff:ff MAC地址采用廣播的形式 Ethernet II, Src: Chongqin_e1:18:a9 (40:23:43:e1:18:a9), Dst: Broadcast (ff:ff:ff:ff:ff:ff) # 255.255.255.255 IP地址采用廣播的形式 Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255 User Datagram Protocol, Src Port: 68, Dst Port: 67 Dynamic Host Configuration Protocol (Discover)Message type: Boot Request (1)Hardware type: Ethernet (0x01)Hardware address length: 6Hops: 0Transaction ID: 0x2e2bec50Seconds elapsed: 0Bootp flags: 0x0000 (Unicast)0... .... .... .... = Broadcast flag: Unicast.000 0000 0000 0000 = Reserved flags: 0x0000Client IP address: 0.0.0.0Your (client) IP address: 0.0.0.0Next server IP address: 0.0.0.0Relay agent IP address: 0.0.0.0Client MAC address: Chongqin_e1:18:a9 (40:23:43:e1:18:a9)Client hardware address padding: 00000000000000000000Server host name not givenBoot file name not givenMagic cookie: DHCPOption: (53) DHCP Message Type (Discover)Length: 1DHCP: Discover (1)Option: (12) Host NameLength: 14Host Name: andrew-G3-3590Option: (55) Parameter Request ListLength: 13Parameter Request List Item: (1) Subnet MaskParameter Request List Item: (28) Broadcast AddressParameter Request List Item: (2) Time OffsetParameter Request List Item: (3) RouterParameter Request List Item: (15) Domain NameParameter Request List Item: (6) Domain Name ServerParameter Request List Item: (119) Domain SearchParameter Request List Item: (12) Host NameParameter Request List Item: (44) NetBIOS over TCP/IP Name ServerParameter Request List Item: (47) NetBIOS over TCP/IP ScopeParameter Request List Item: (26) Interface MTUParameter Request List Item: (121) Classless Static RouteParameter Request List Item: (42) Network Time Protocol ServersOption: (255) EndOption End: 255Padding: 000000000000000000000000000000000000000000000000…No. Time Source Destination Protocol Length Info69 0.003566600 192.168.199.1 192.168.199.235 DHCP 342 DHCP Offer - Transaction ID 0x2e2bec50 # 2. 服務(wù)器發(fā)送 offer包 Frame 69: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface wlp4s0, id 0 # MAC地址 指定 Chongqin_e1:18:a9 Ethernet II, Src: HIWIFI_65:b0:40 (d4:ee:07:65:b0:40), Dst: Chongqin_e1:18:a9 (40:23:43:e1:18:a9) # 正常的IP地址會指向 255.255.255.255 但是由于我這里抓包的時候，不是釋放之后抓奧，而是使用程序重新獲取的IP地址，所以服務(wù)器直接將offer包發(fā)廢了設(shè)備的老的IP地址 Internet Protocol Version 4, Src: 192.168.199.1, Dst: 192.168.199.235 User Datagram Protocol, Src Port: 67, Dst Port: 68 Dynamic Host Configuration Protocol (Offer)Message type: Boot Reply (2)Hardware type: Ethernet (0x01)Hardware address length: 6Hops: 0Transaction ID: 0x2e2bec50Seconds elapsed: 0Bootp flags: 0x0000 (Unicast)0... .... .... .... = Broadcast flag: Unicast.000 0000 0000 0000 = Reserved flags: 0x0000Client IP address: 0.0.0.0Your (client) IP address: 192.168.199.235Next server IP address: 192.168.199.1Relay agent IP address: 0.0.0.0Client MAC address: Chongqin_e1:18:a9 (40:23:43:e1:18:a9)Client hardware address padding: 00000000000000000000Server host name not givenBoot file name not givenMagic cookie: DHCPOption: (53) DHCP Message Type (Offer)Length: 1DHCP: Offer (2)Option: (54) DHCP Server Identifier (192.168.199.1)Length: 4DHCP Server Identifier: 192.168.199.1Option: (51) IP Address Lease TimeLength: 4IP Address Lease Time: (43200s) 12 hoursOption: (58) Renewal Time ValueLength: 4Renewal Time Value: (21600s) 6 hoursOption: (59) Rebinding Time ValueLength: 4Rebinding Time Value: (37800s) 10 hours, 30 minutesOption: (1) Subnet Mask (255.255.255.0)Length: 4Subnet Mask: 255.255.255.0Option: (28) Broadcast Address (192.168.199.255)Length: 4Broadcast Address: 192.168.199.255Option: (3) RouterLength: 4Router: 192.168.199.1Option: (6) Domain Name ServerLength: 4Domain Name Server: 192.168.199.1Option: (15) Domain NameLength: 3Domain Name: lanOption: (255) EndOption End: 255Padding: 000000No. Time Source Destination Protocol Length Info70 0.000447243 0.0.0.0 255.255.255.255 DHCP 342 DHCP Request - Transaction ID 0x2e2bec50 # 客戶端接受一個IP地址之后 胡以廣播的方式 告知接受服務(wù)器提供的IP地址信息 Frame 70: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface wlp4s0, id 0 Ethernet II, Src: Chongqin_e1:18:a9 (40:23:43:e1:18:a9), Dst: Broadcast (ff:ff:ff:ff:ff:ff) Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255 User Datagram Protocol, Src Port: 68, Dst Port: 67 Dynamic Host Configuration Protocol (Request)Message type: Boot Request (1)Hardware type: Ethernet (0x01)Hardware address length: 6Hops: 0Transaction ID: 0x2e2bec50Seconds elapsed: 0Bootp flags: 0x0000 (Unicast)0... .... .... .... = Broadcast flag: Unicast.000 0000 0000 0000 = Reserved flags: 0x0000Client IP address: 0.0.0.0Your (client) IP address: 0.0.0.0Next server IP address: 0.0.0.0Relay agent IP address: 0.0.0.0Client MAC address: Chongqin_e1:18:a9 (40:23:43:e1:18:a9)Client hardware address padding: 00000000000000000000Server host name not givenBoot file name not givenMagic cookie: DHCPOption: (53) DHCP Message Type (Request)Length: 1DHCP: Request (3)Option: (54) DHCP Server Identifier (192.168.199.1)Length: 4DHCP Server Identifier: 192.168.199.1Option: (50) Requested IP Address (192.168.199.235)Length: 4Requested IP Address: 192.168.199.235Option: (12) Host NameLength: 14Host Name: andrew-G3-3590Option: (55) Parameter Request ListLength: 13Parameter Request List Item: (1) Subnet MaskParameter Request List Item: (28) Broadcast AddressParameter Request List Item: (2) Time OffsetParameter Request List Item: (3) RouterParameter Request List Item: (15) Domain NameParameter Request List Item: (6) Domain Name ServerParameter Request List Item: (119) Domain SearchParameter Request List Item: (12) Host NameParameter Request List Item: (44) NetBIOS over TCP/IP Name ServerParameter Request List Item: (47) NetBIOS over TCP/IP ScopeParameter Request List Item: (26) Interface MTUParameter Request List Item: (121) Classless Static RouteParameter Request List Item: (42) Network Time Protocol ServersOption: (255) EndOption End: 255Padding: 00000000000000000000000000No. Time Source Destination Protocol Length Info71 0.005910802 192.168.199.1 192.168.199.235 DHCP 355 DHCP ACK - Transaction ID 0x2e2bec50 # 服務(wù)器確認(rèn)接受的是自己提供的IP地址之后 會向客戶端回復(fù)ACK Frame 71: 355 bytes on wire (2840 bits), 355 bytes captured (2840 bits) on interface wlp4s0, id 0 Ethernet II, Src: HIWIFI_65:b0:40 (d4:ee:07:65:b0:40), Dst: Chongqin_e1:18:a9 (40:23:43:e1:18:a9) Internet Protocol Version 4, Src: 192.168.199.1, Dst: 192.168.199.235 User Datagram Protocol, Src Port: 67, Dst Port: 68 Dynamic Host Configuration Protocol (ACK)Message type: Boot Reply (2)Hardware type: Ethernet (0x01)Hardware address length: 6Hops: 0Transaction ID: 0x2e2bec50Seconds elapsed: 0Bootp flags: 0x0000 (Unicast)0... .... .... .... = Broadcast flag: Unicast.000 0000 0000 0000 = Reserved flags: 0x0000Client IP address: 0.0.0.0Your (client) IP address: 192.168.199.235Next server IP address: 192.168.199.1Relay agent IP address: 0.0.0.0Client MAC address: Chongqin_e1:18:a9 (40:23:43:e1:18:a9)Client hardware address padding: 00000000000000000000Server host name not givenBoot file name not givenMagic cookie: DHCPOption: (53) DHCP Message Type (ACK)Length: 1DHCP: ACK (5)Option: (54) DHCP Server Identifier (192.168.199.1)Length: 4DHCP Server Identifier: 192.168.199.1Option: (51) IP Address Lease TimeLength: 4IP Address Lease Time: (43200s) 12 hoursOption: (58) Renewal Time ValueLength: 4Renewal Time Value: (21600s) 6 hoursOption: (59) Rebinding Time ValueLength: 4Rebinding Time Value: (37800s) 10 hours, 30 minutesOption: (1) Subnet Mask (255.255.255.0)Length: 4Subnet Mask: 255.255.255.0Option: (28) Broadcast Address (192.168.199.255)Length: 4Broadcast Address: 192.168.199.255Option: (3) RouterLength: 4Router: 192.168.199.1Option: (6) Domain Name ServerLength: 4Domain Name Server: 192.168.199.1Option: (15) Domain NameLength: 3Domain Name: lanOption: (12) Host NameLength: 14Host Name: andrew-G3-3590Option: (255) EndOption End: 255

總結(jié)

以上是生活随笔為你收集整理的DHCP数据抓包分析--wireshark的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。