Systems and Network Management DHCP and tcpdump 1 Background The format of dhcp packets was established with rfc 951 for the bootstrap protocol, or bootp. dhcp was made to be backwardly compatible with the bootp protocol so that the infrastructure of bootp relay agents on routers would not need to be replaced. The dhcp extensions to bootp are bootp options. Table 1 on the following page shows the names of the fields in the fixed-format part of a dhcp message. 2 tcpdump and DHCP The manual page for thge current version of tcpdump (version 3.7.1; an rpm is available from our server) unfortunately does not explain the detail of all the fields in the dhcp protocol. To understand them all, it is necessary to look at the source. Here is my summary after reading ∼/RPM/BUILD/tcpdump-3.7.1/ tcpdump-3.7.1/print-bootp.c. Nick Urbanik ver. 1.0 DHCP and tcpdump Systems and Network Management 2 Field op htype hlen hops xid secs flags Description Message operation code: 1 in message from client, 2 in message from server Link-layer address type from rfc 1700. For Ethernet, htype is 1. Link-layer address length, in bytes. (number of bytes in chaddr field) Number of relay agents that have forwarded this message. Transaction identifier ; used by clients to match responses from servers with previously transmitted requests. Number of seconds since client began dhcp transaction Least significant bit is set to 1 to indicate messages to client must be broadcast ciaddr Client’s ip address, set by client after reaches BOUND state (i.e., address is valid) yiaddr Client’s ip address, set by server to inform client of its address (“your” ip addresss) siaddr ip address of the next server for the client to use (i.e., for the client to download an operating system kernel using tftp) giaddr Relay agent (or “gateway”) ip address: relay agent fills this in with the address of the interface through which it received the dhcp message chaddr Client’s link layer address (i.e., on our lan, the Ethernet address) sname file Name of the next server for client to use in the configuration process filename the client should request from the next server (i.e., an operating system kernel, or kickstart file) Table 1: dhcp Message fields Nick Urbanik ver. 1.0 DHCP and tcpdump Systems and Network Management 3 DHCPREQUEST/ DHCPNAK INIT−REBOOT broadcast Boot before lease expires INIT Boot after lease expires DHCPDISCOVER/ DHCPOFFER broadcast No response from server, lease expired Has been offered an address SELECTING DHCPACK broadcast REBINDING At T2, begin broadcasting requests to all DHCP servers DHCPREQUEST/ DHCPACK client request broadcast DHCPACK unicast DHCPREQUEST/ DHCPACK broadcast server response broadcast DHCPREQUEST BOUND Has IP address DHCPREQUEST unicast RENEWING At T1, renew using unicasts Figure 1: A state diagram showing states of a dhcp client. Note that T is the lease time, T 1 = T , T 2 = 7T . See also table 3 on page 5 from the dhcp rfc 2131 (avail2 8 able in full at /home/nfs/ietf/rcf/rfc2131.txt), which sumarises dhcp messages. Nick Urbanik ver. 1.0 DHCP and tcpdump Systems and Network Management 4 Field htype hops xid secs flags printf() format in tcpdump short desc. " htype-#%d" " hops:%d" " xid:0x%x" " secs:%d" " flags:0x%x" length of link-layer address number of relay agents transaction id seconds since sesssion started lsb is broadcast flag Client’s ip address ‘your’ ip address (bootp client) Server’s ip address Gateway’s ip address Ethernet address name of next server file name to download Subnet mask Default gateway Time server Name servers Host name Domain name ciaddr " C:%s" yiaddr " Y:%s" siaddr " S:%s" giaddr " G:%s" chaddr " ether %s" sname file sname " servername " file " filename " SM DG TS NS HN DN Table 2: How tcpdump represents various dhcp fields. Nick Urbanik ver. 1.0 DHCP and tcpdump Systems and Network Management 5 Message Use DHCPDISCOVER — Client broadcast to locate available servers. DHCPOFFER DHCPREQUEST — Server to client in response to DHCPDISCOVER with offer of configuration parameters. — Client message to servers either (a) requesting offered parameters from one server and implicitly declining offers from all others, (b) confirming correctness of previously allocated address after, e.g., system reboot, or (c) extending the lease on a particular network address. — Server to client with configuration parameters, including committed network address. — Server to client indicating client’s notion of network address is incorrect (e.g., client has moved to new subnet) or client’s lease as expired — Client to server indicating network address is already in use. — Client to server relinquishing network address and cancelling remaining lease. — Client to server, asking only for local configuration parameters; client already has externally configured network address. DHCPACK DHCPNAK DHCPDECLINE DHCPRELEASE DHCPINFORM Table 3: DHCP Messages: this is “table 2” from rfc 2131; the rfc is available in full from ictlab at /home/nfs/ietf/rcf/rfc2131.txt. Nick Urbanik ver. 1.0