Wireshark is a free and open source packet analyzer used for network troubleshooting and analysis. These activities will show you how to use Wireshark to capture and analyze Dynamic Host Configuration Protocol (DHCP) traffic.

Readings edit

Preparation edit

To prepare for this activity:

  1. Start Windows.
  2. Log in if necessary.
  3. Install Wireshark.

Activity 1 - Capture DHCP Traffic edit

To capture DHCP traffic:

  1. Start a Wireshark capture.
  2. Open a command prompt.
  3. Type ipconfig /renew and press Enter.
  4. Type ipconfig /release and press Enter.
  5. Type ipconfig /renew and press Enter.
  6. Close the command prompt.
  7. Stop the Wireshark capture.

Activity 2 - Analyze DHCP Request Traffic edit

To analyze DHCP Request (lease renewal) traffic:

  1. Observe the traffic captured in the top Wireshark packet list pane. To view only DHCP traffic, type udp.port == 68 (lower case) in the Filter box and press Enter.
  2. In the top Wireshark packet list pane, select the first DHCP packet, labeled DHCP Request.
  3. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
  4. Expand Ethernet II to view Ethernet details.
  5. Observe the Destination and Source fields. The destination should be your DHCP server's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
  6. Expand Internet Protocol Version 4 to view IP details.
  7. Observe the Source address. Notice that the source address is your IP address.
  8. Observe the Destination address. Notice that the destination address is the IP address of the DHCP server.
  9. Expand User Datagram Protocol to view UDP details.
  10. Observe the Source port. Notice that it is bootpc (68), the BOOTP client port.
  11. Observe the Destination port. Notice that it is bootps (67), the BOOTP server port.
  12. Expand Bootstrap Protocol to view BOOTP details.
  13. Observe the DHCP Message Type. Notice that it is a Request (3).
  14. Observe the Client IP address, Client MAC address, and DHCP option fields. This is the request to the DHCP server.

Activity 3 - Analyze DHCP ACK Traffic edit

To analyze DHCP ACK (server acknowledgement) traffic:

  1. In the top Wireshark packet list pane, select the second DHCP packet, labeled DHCP ACK.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCP server's MAC address.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is the DHCP server IP address.
  7. Observe the Destination address. Notice that the destination address is your IP address.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is bootps (67), the BOOTP server port.
  10. Observe the Destination port. Notice that it is bootpc (68), the BOOTP client port.
  11. Expand Bootstrap Protocol to view BOOTP details.
  12. Observe the DHCP Message Type. Notice that it is an ACK (5).
  13. Observe the Client IP address and Client MAC address fields. This is the acknowledgement from the DHCP server.
  14. Observe the DHCP options and expand to view the details for IP Address Lease Time, Subnet Mask, Router (Default Gateway), Domain Name Server, and Domain Name, as well as any other options if included.

Activity 4 - Analyze DHCP Release Traffic edit

To analyze DHCP Release traffic:

  1. In the top Wireshark packet list pane, select the third DHCP packet, labeled DHCP Release.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your DHCP server's MAC address and the source should be your MAC address. You can use ipconfig /all and arp -a to confirm.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is your IP address.
  7. Observe the Destination address. Notice that the destination address is the IP address of the DHCP server.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is bootpc (68), the BOOTP client port.
  10. Observe the Destination port. Notice that it is bootps (67), the BOOTP server port.
  11. Expand Bootstrap Protocol to view BOOTP details.
  12. Observe the DHCP Message Type. Notice that it is a Release (7).
  13. Observe the Client IP address and Client MAC address fields. This is the address that will be released on the DHCP server.

Activity 5 - Analyze DHCP Discover Traffic edit

To analyze DHCP Discover (lease request) traffic:

  1. In the top Wireshark packet list pane, select the fourth DHCP packet, labeled DHCP Discover.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be the broadcast address ff:ff:ff:ff:ff:ff and the source should be your MAC address. When the client doesn't have an IP address or server information, it has to broadcast to discover a DHCP server.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is 0.0.0.0, indicating no current IP address.
  7. Observe the Destination address. Notice that the destination address 255.255.255.255, the broadcast IP address.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is bootpc (68), the BOOTP client port.
  10. Observe the Destination port. Notice that it is bootps (67), the BOOTP server port.
  11. Expand Bootstrap Protocol to view BOOTP details.
  12. Observe the DHCP Message Type. Notice that it is a Discover (1).
  13. Observe the Client IP address, Client MAC address, and DHCP option fields. This is the request to the DHCP server.

Activity 6 - Analyze DHCP Offer Traffic edit

To analyze DHCP Offer (server offer) traffic:

  1. In the top Wireshark packet list pane, select the fifth DHCP packet, labeled DHCP Offer.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCP server's MAC address.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is the DHCP server's IP address.
  7. Observe the Destination address. Notice that the destination address is 255.255.255.255 (broadcast) address.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is bootps (67), the BOOTP server port.
  10. Observe the Destination port. Notice that it is bootpc (68), the BOOTP client port.
  11. Expand Bootstrap Protocol to view BOOTP details.
  12. Observe the DHCP Message Type. Notice that it is an Offer (2).
  13. Observe the Client IP address and Client MAC address fields. This is the offer from the DHCP server.
  14. Observe the DHCP options and expand to view the details for IP Address Lease Time, Subnet Mask, Router (Default Gateway), Domain Name Server, and Domain Name, as well as any other options if included.

Activity 7 - Analyze DHCP Request Traffic edit

To analyze DHCP Request (lease request) traffic:

  1. In the top Wireshark packet list pane, select the sixth DHCP packet, labeled DHCP Request.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be the broadcast address ff:ff:ff:ff:ff:ff and the source should be your MAC address. When the client doesn't have an IP address or server information, it has to broadcast to request an address lease.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is 0.0.0.0, indicating no current IP address.
  7. Observe the Destination address. Notice that the destination address 255.255.255.255, the broadcast IP address.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is bootpc (68), the BOOTP client port.
  10. Observe the Destination port. Notice that it is bootps (67), the BOOTP server port.
  11. Expand Bootstrap Protocol to view BOOTP details.
  12. Observe the DHCP Message Type. Notice that it is a Request (3).
  13. Observe the Client IP address, Client MAC address, and DHCP option fields. This is the request to the DHCP server.

Activity 8 - Analyze DHCP ACK Traffic edit

To analyze DHCP ACK (server acknowledgement) traffic:

  1. In the top Wireshark packet list pane, select the seventh DHCP packet, labeled DHCP ACK.
  2. Observe the packet details in the middle Wireshark packet details pane. Notice that it is an Ethernet II / Internet Protocol Version 4 / User Datagram Protocol / Bootstrap Protocol frame.
  3. Expand Ethernet II to view Ethernet details.
  4. Observe the Destination and Source fields. The destination should be your MAC address and the source should be your DHCP server's MAC address.
  5. Expand Internet Protocol Version 4 to view IP details.
  6. Observe the Source address. Notice that the source address is the DHCP server IP address.
  7. Observe the Destination address. Notice that the destination address is the broadcast address 255.255.255.255.
  8. Expand User Datagram Protocol to view UDP details.
  9. Observe the Source port. Notice that it is bootps (67), the BOOTP server port.
  10. Observe the Destination port. Notice that it is bootpc (68), the BOOTP client port.
  11. Expand Bootstrap Protocol to view BOOTP details.
  12. Observe the DHCP Message Type. Notice that it is an ACK (5).
  13. Observe the Client IP address and Client MAC address fields. This is the acknowledgement from the DHCP server.
  14. Observe the DHCP options and expand to view the details for IP Address Lease Time, Subnet Mask, Router (Default Gateway), Domain Name Server, and Domain Name, as well as any other options if included.
  15. Close Wireshark to complete this activity. Quit without Saving to discard the captured traffic.

References edit