DHCP-(Dynamic Host Configuration Procotol,动态主机配置协议),是一个局域网的网络协议,主要用于给内部网络或网络服务供应商自动分匹配IP地址。属于TCP/IP协议,使用UDP进行工作。
DHCP有三个端口,其中UDP67和UDP68为正常的DHCP服务端口,分别为DHCP Server和DHCP Client的服务窗口,546号端口用于DHCPv6 Client,而不是DHCPv4,是因为DHCP failover服务。该服务是需要特别开启的服务,用于做双击热备份。
作用
保证任何统一时刻,同一局域网内只能由一台DHCP客户机所使用
DHCP可以给用户分配永久固定的IP地址
DHCP允许用其他方法获得IP地址的主机共存,如手动配置IP地址
DHCP服务器向所有的BOOTP客户端提供服务
DHCP的三种地址分配方式
自动分配:DHCP服务器给客户端分配永久性的IP地址动态分配:DHCP给客户端分配的IP地址过一段时间之后会过期,或者客户端可以主动释放该地址手动配置:由用户手动为客户端指定IP地址DHCP工作流程
发现阶段,即DHCP客户端寻找DHCP服务器的阶段。DHCP客户端以广播的方式发送DHCP Discover包,来寻找DHCP服务器,即向地址255.255.255.255发送广播信息,网络上所有装有TCP/IP协议的主机都会接收到该广播信息,但是只有DHCP服务器才会做出响应。
提供阶段:DHCP服务器提供地址的阶段,所有接收到请求的服务器都会从地址池中选一个IP地址给客户端。
选择阶段:即DHCP从接收到的所有DHCP提供的IP地址中选择一个IP地址的过程,广播方式传输,这样所有DHCP服务器就直到了他选择了哪个DHCP服务器提供的地址。
确认阶段:即DHCP服务器确认所提供的IP地址阶段。当DHCP服务器收到客户端发送的DHCP Request请求信息之后,便向DHCP客户端发送一个包含所提供的IP地址和其他设置的DHCP Ack
在Linux上抓DHCP报文
开启wireshark开始抓包,然后在命令行上使用以下命令重新获取IP地址
# 释放对应网卡上的IP地址 $ sudo dhclient -r wlp4s0 # 指定网卡使用`DHCP`获取IP地址 $ sudo dhclient wlp4s0或者在简单点,但是这样做需要足够快,因为网卡禁用之后就无法使用wireshark进行抓包了,所以需要拉网同的同时赶快开始抓包,能不能抓到就看手速了 😹
# 下网卡 ifconfig wlp4s0 down # 上网卡 ifconfig wlp4s0 upDHCP报文格式
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | op (1) | htype (1) | hlen (1) | hops (1) | +---------------+---------------+---------------+---------------+ | xid (4) | +-------------------------------+-------------------------------+ | secs (2) | flags (2) | +-------------------------------+-------------------------------+ | ciaddr (4) | +---------------------------------------------------------------+ | yiaddr (4) | +---------------------------------------------------------------+ | siaddr (4) | +---------------------------------------------------------------+ | giaddr (4) | +---------------------------------------------------------------+ | | | chaddr (16) | | | | | +---------------------------------------------------------------+ | | | sname (64) | +---------------------------------------------------------------+ | | | file (128) | +---------------------------------------------------------------+ | | | options (variable) | +---------------------------------------------------------------+ op: 报文的操作类型,分为请求报文和响应报文,1请求报文,2为响应报文,具体的报文类型在options字段中标识htype: DHCP客户端的硬件地址类型1表示是ethernet地址hlen: DHCP客户端的硬件地址长度hops: DHCP报文经过的DHCP中继的数目。初始为0,报文每经过一个DHCP中继,该字段就会增加1xid: 客户端发起一次请求时选择的随机数,用来标识一次地址请求过程secs: DHCP客户端开始DHCP请求后所经过的时间,目前未使用,固定为0flags: DHCP服务器相应报文是采用单播还是广播方式发送,只使用第0位比特位,0表示采用单播方式,1表示采用广播方式,其余比特位保留不用ciaddr:DHCP客户端的IP地址yiaddr: DHCP服务器分配给客户端的IP地址siaddr:DHCP客户端获取IP地址等信息的服务器IP地址giaddr:DHCP客户端发送请求报文后经过的第一个DHCP中继的IP地址chaddr: DHCP客户端的硬件地址sname:DHCP客户端获取IP地址等信息的服务器名称file: DHCP服务器为DHCP客户端指定的启动配置文件名称及路径信息。options:可选变长字段选项字段,包含报文的类型、有效租期、DNS服务器的IP地址和WINS服务器的IP地址等配置信息。DHCP报文类型
– 来自wireshark数据包分析
DHCP报文类型描述DHCP DiscoverDHCP Discover DHCP客户端请求地址时,并不知道DHCP服务器的位置,因此DHCP客户端会在本地网络内以广播方式发送请求报文,这个报文成为Discover报文,目的是发现网络中的DHCP服务器,所有收到Discover报文的DHCP服务器都会发送回应报文,DHCP客户端据此就可以知道网络中存在的DHCP服务器的位置。DHCP OfferDHCP Offer DHCP服务器收到Discover报文后,就会在所配置的地址池中查找一个合适的ip地址,加上相应的租约期限和其他配置信息(网关,DNS服务器等),构造一个Offer报文,发送给客户,告知用户本服务器可以为其提供IP地址。(只是告诉client可以提供,是预分配,还需要client通过ARP检测该IP是否重复)DHCP RequestDHCP Request DHCP客户端会收到很多Offer,所以必须在这些回应中选择一个。Client通常选择第一个回应Offer报文的服务器作为自己的目标服务器,并回应一个广播Request报文,通告选择的服务器。DHCP客户端成功获取IP地址后,在地址使用租期过去1/2时,会向DHCP服务器发送单播Request报文续延租期,如果没有收到DHCP ACK报文,在租期过去3/4时,发送广播Request报文续延租期。DHCP ACKDHCP ACK DHCP服务器收到Request报文后,根据Request报文中携带的用户MAC来查找有没有相应的续约记录,如果有则发送ACK报文作为回应,通知用户可以使用分配的ip地址DHCP NAKDHCP NAK 如果DHCP服务器收到Request报文后,没有发现相应的租约记录或者由于某些原因无法正常分配ip地址,则发送ACK报文作为回应,通知用户无法分配合适的ip地址。DHCP ReleaseDHCP Release 当用户不在需要使用分配ip地址时,就会向DHCP服务器发送Release报文,告知服务器用户不再需要分配ip地址,DHCP服务器会释放被绑定的租约。DHCP DeclineDHCP Decline DHCP客户端收到DHCP服务器回应的ACK报文后,通过地址冲突检测发现服务器分配的地址冲突或者由于其他原因导致不能使用,则发送Decline报文,通知服务器所分配的ip地址不可用。DHCP InformDHCP Inform DHCP客户端如果需要从DHCP服务器端获取更为详细的配置信息,则发送Inform报文向服务器进行请求,服务器收到该报文后,将根据租约进行查找,找到相应的配置信息后,发送ACK报文回应DHCP客户端(极少用到)。以下是整个DHCP正常交互的过程
# 1. 首先发送 发现包 Frame 68: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface wlp4s0, id 0 # ff:ff:ff:ff:ff:ff MAC地址采用广播的形式 Ethernet II, Src: Chongqin_e1:18:a9 (40:23:43:e1:18:a9), Dst: Broadcast (ff:ff:ff:ff:ff:ff) # 255.255.255.255 IP地址采用广播的形式 Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255 User Datagram Protocol, Src Port: 68, Dst Port: 67 Dynamic Host Configuration Protocol (Discover) Message type: Boot Request (1) Hardware type: Ethernet (0x01) Hardware address length: 6 Hops: 0 Transaction ID: 0x2e2bec50 Seconds elapsed: 0 Bootp flags: 0x0000 (Unicast) 0... .... .... .... = Broadcast flag: Unicast .000 0000 0000 0000 = Reserved flags: 0x0000 Client IP address: 0.0.0.0 Your (client) IP address: 0.0.0.0 Next server IP address: 0.0.0.0 Relay agent IP address: 0.0.0.0 Client MAC address: Chongqin_e1:18:a9 (40:23:43:e1:18:a9) Client hardware address padding: 00000000000000000000 Server host name not given Boot file name not given Magic cookie: DHCP Option: (53) DHCP Message Type (Discover) Length: 1 DHCP: Discover (1) Option: (12) Host Name Length: 14 Host Name: andrew-G3-3590 Option: (55) Parameter Request List Length: 13 Parameter Request List Item: (1) Subnet Mask Parameter Request List Item: (28) Broadcast Address Parameter Request List Item: (2) Time Offset Parameter Request List Item: (3) Router Parameter Request List Item: (15) Domain Name Parameter Request List Item: (6) Domain Name Server Parameter Request List Item: (119) Domain Search Parameter Request List Item: (12) Host Name Parameter Request List Item: (44) NetBIOS over TCP/IP Name Server Parameter Request List Item: (47) NetBIOS over TCP/IP Scope Parameter Request List Item: (26) Interface MTU Parameter Request List Item: (121) Classless Static Route Parameter Request List Item: (42) Network Time Protocol Servers Option: (255) End Option End: 255 Padding: 000000000000000000000000000000000000000000000000… No. Time Source Destination Protocol Length Info 69 0.003566600 192.168.199.1 192.168.199.235 DHCP 342 DHCP Offer - Transaction ID 0x2e2bec50 # 2. 服务器发送 offer包 Frame 69: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface wlp4s0, id 0 # MAC地址 指定 Chongqin_e1:18:a9 Ethernet II, Src: HIWIFI_65:b0:40 (d4:ee:07:65:b0:40), Dst: Chongqin_e1:18:a9 (40:23:43:e1:18:a9) # 正常的IP地址会指向 255.255.255.255 但是由于我这里抓包的时候,不是释放之后抓奥,而是使用程序重新获取的IP地址,所以服务器直接将offer包发废了设备的老的IP地址 Internet Protocol Version 4, Src: 192.168.199.1, Dst: 192.168.199.235 User Datagram Protocol, Src Port: 67, Dst Port: 68 Dynamic Host Configuration Protocol (Offer) Message type: Boot Reply (2) Hardware type: Ethernet (0x01) Hardware address length: 6 Hops: 0 Transaction ID: 0x2e2bec50 Seconds elapsed: 0 Bootp flags: 0x0000 (Unicast) 0... .... .... .... = Broadcast flag: Unicast .000 0000 0000 0000 = Reserved flags: 0x0000 Client IP address: 0.0.0.0 Your (client) IP address: 192.168.199.235 Next server IP address: 192.168.199.1 Relay agent IP address: 0.0.0.0 Client MAC address: Chongqin_e1:18:a9 (40:23:43:e1:18:a9) Client hardware address padding: 00000000000000000000 Server host name not given Boot file name not given Magic cookie: DHCP Option: (53) DHCP Message Type (Offer) Length: 1 DHCP: Offer (2) Option: (54) DHCP Server Identifier (192.168.199.1) Length: 4 DHCP Server Identifier: 192.168.199.1 Option: (51) IP Address Lease Time Length: 4 IP Address Lease Time: (43200s) 12 hours Option: (58) Renewal Time Value Length: 4 Renewal Time Value: (21600s) 6 hours Option: (59) Rebinding Time Value Length: 4 Rebinding Time Value: (37800s) 10 hours, 30 minutes Option: (1) Subnet Mask (255.255.255.0) Length: 4 Subnet Mask: 255.255.255.0 Option: (28) Broadcast Address (192.168.199.255) Length: 4 Broadcast Address: 192.168.199.255 Option: (3) Router Length: 4 Router: 192.168.199.1 Option: (6) Domain Name Server Length: 4 Domain Name Server: 192.168.199.1 Option: (15) Domain Name Length: 3 Domain Name: lan Option: (255) End Option End: 255 Padding: 000000 No. Time Source Destination Protocol Length Info 70 0.000447243 0.0.0.0 255.255.255.255 DHCP 342 DHCP Request - Transaction ID 0x2e2bec50 # 客户端接受一个IP地址之后 胡以广播的方式 告知接受服务器提供的IP地址信息 Frame 70: 342 bytes on wire (2736 bits), 342 bytes captured (2736 bits) on interface wlp4s0, id 0 Ethernet II, Src: Chongqin_e1:18:a9 (40:23:43:e1:18:a9), Dst: Broadcast (ff:ff:ff:ff:ff:ff) Internet Protocol Version 4, Src: 0.0.0.0, Dst: 255.255.255.255 User Datagram Protocol, Src Port: 68, Dst Port: 67 Dynamic Host Configuration Protocol (Request) Message type: Boot Request (1) Hardware type: Ethernet (0x01) Hardware address length: 6 Hops: 0 Transaction ID: 0x2e2bec50 Seconds elapsed: 0 Bootp flags: 0x0000 (Unicast) 0... .... .... .... = Broadcast flag: Unicast .000 0000 0000 0000 = Reserved flags: 0x0000 Client IP address: 0.0.0.0 Your (client) IP address: 0.0.0.0 Next server IP address: 0.0.0.0 Relay agent IP address: 0.0.0.0 Client MAC address: Chongqin_e1:18:a9 (40:23:43:e1:18:a9) Client hardware address padding: 00000000000000000000 Server host name not given Boot file name not given Magic cookie: DHCP Option: (53) DHCP Message Type (Request) Length: 1 DHCP: Request (3) Option: (54) DHCP Server Identifier (192.168.199.1) Length: 4 DHCP Server Identifier: 192.168.199.1 Option: (50) Requested IP Address (192.168.199.235) Length: 4 Requested IP Address: 192.168.199.235 Option: (12) Host Name Length: 14 Host Name: andrew-G3-3590 Option: (55) Parameter Request List Length: 13 Parameter Request List Item: (1) Subnet Mask Parameter Request List Item: (28) Broadcast Address Parameter Request List Item: (2) Time Offset Parameter Request List Item: (3) Router Parameter Request List Item: (15) Domain Name Parameter Request List Item: (6) Domain Name Server Parameter Request List Item: (119) Domain Search Parameter Request List Item: (12) Host Name Parameter Request List Item: (44) NetBIOS over TCP/IP Name Server Parameter Request List Item: (47) NetBIOS over TCP/IP Scope Parameter Request List Item: (26) Interface MTU Parameter Request List Item: (121) Classless Static Route Parameter Request List Item: (42) Network Time Protocol Servers Option: (255) End Option End: 255 Padding: 00000000000000000000000000 No. Time Source Destination Protocol Length Info 71 0.005910802 192.168.199.1 192.168.199.235 DHCP 355 DHCP ACK - Transaction ID 0x2e2bec50 # 服务器确认接受的是自己提供的IP地址之后 会向客户端回复ACK Frame 71: 355 bytes on wire (2840 bits), 355 bytes captured (2840 bits) on interface wlp4s0, id 0 Ethernet II, Src: HIWIFI_65:b0:40 (d4:ee:07:65:b0:40), Dst: Chongqin_e1:18:a9 (40:23:43:e1:18:a9) Internet Protocol Version 4, Src: 192.168.199.1, Dst: 192.168.199.235 User Datagram Protocol, Src Port: 67, Dst Port: 68 Dynamic Host Configuration Protocol (ACK) Message type: Boot Reply (2) Hardware type: Ethernet (0x01) Hardware address length: 6 Hops: 0 Transaction ID: 0x2e2bec50 Seconds elapsed: 0 Bootp flags: 0x0000 (Unicast) 0... .... .... .... = Broadcast flag: Unicast .000 0000 0000 0000 = Reserved flags: 0x0000 Client IP address: 0.0.0.0 Your (client) IP address: 192.168.199.235 Next server IP address: 192.168.199.1 Relay agent IP address: 0.0.0.0 Client MAC address: Chongqin_e1:18:a9 (40:23:43:e1:18:a9) Client hardware address padding: 00000000000000000000 Server host name not given Boot file name not given Magic cookie: DHCP Option: (53) DHCP Message Type (ACK) Length: 1 DHCP: ACK (5) Option: (54) DHCP Server Identifier (192.168.199.1) Length: 4 DHCP Server Identifier: 192.168.199.1 Option: (51) IP Address Lease Time Length: 4 IP Address Lease Time: (43200s) 12 hours Option: (58) Renewal Time Value Length: 4 Renewal Time Value: (21600s) 6 hours Option: (59) Rebinding Time Value Length: 4 Rebinding Time Value: (37800s) 10 hours, 30 minutes Option: (1) Subnet Mask (255.255.255.0) Length: 4 Subnet Mask: 255.255.255.0 Option: (28) Broadcast Address (192.168.199.255) Length: 4 Broadcast Address: 192.168.199.255 Option: (3) Router Length: 4 Router: 192.168.199.1 Option: (6) Domain Name Server Length: 4 Domain Name Server: 192.168.199.1 Option: (15) Domain Name Length: 3 Domain Name: lan Option: (12) Host Name Length: 14 Host Name: andrew-G3-3590 Option: (255) End Option End: 255