DHCP交互报文分析

DHCP交互报文分析DHCP简单介绍DHCP（DynamicHostConfigurationProtocol，动态主机配置协议）是一个局域网的网络协议，使用UDP协议工作，主要有两个用途：给内部网络或网络服务供应商自动分配IP地址，给用户或者内部网络管理员作为对所有计算机作中央管理的手段，在RFC2131中有详细的描述。DHCP有3个端口，其中UDP67和UDP68为正常的DHCP服务端口，分别作为DHCPServer和DHCPClient的服务端口；546号端口用于DHCPv6Client，而不用于DHCPv4,是为DHCPfailover服务，这是需要特别开启的服务，DHCPfailover是用来做“双机热备”的。DHCP协议前身为bootp协议，故使用抓包软件过滤时过滤协议为：bootpDHCP交互过程如图DHCP报文交互过程分析DHCPDiscover客户端请求报文此过程主要为客户端用户寻找DHCP服务器过程，此时客户机没有IP地址向全网发送广播报文，等待DHCP服务的回应，只有装有DHCP服务器的主机才能响应此报文DHCP服务器接收到discover请求后，会向客户端发出DHCPOffer报文作为回应，该报文包含该DHCP服务器可向DHCP客户端提供的IP地址以及该DHCP服务器自己的IP地址信息2551.4157325^0.41^?2606.42253OTTI・uru0,2551.4157325^0.41^?2606.42253OTTI・uru0,Q.0.0.0.025S.Z55.255.Z552S5.255.255-255255.255-255-255DHCPDHCPDHCPDH€PDFfCF1DlbCOV^r342DHCPDiscover342DHCPDiscover-TransactionidOx&fQaf-TransactionIDOx肝胸-TtansactionTDOicEf9a1?TransactionID0x15©Frame53:巴2初严总勺on*i~ii•已(2?WE自弓匚吕ptu厂自on~irrtE『fN匚日0©EthernetII」ST：; fbbi'Ztj;曹H・Dst： iff卡Jl+limerrieiPiroiXoTVErsdwi斗.「列匸：0・0,0・0f(?・Q・O■时.仍工：巧5・255・冨5,2巧〔255・255・LtlUserDatagramProrocDl,£rcPort:booTpc(63)?OstPort:bootps(67)□Bwtwt厂證pP厂口芯口七©1Messagetype;BootRequest(1) Harc^areType:ETheiririeT(0x01)— 机！&容户常无iPiGilh贡送广篙报文Hardwareaddress1engrh:6如果无响应报文，则客户端会持续发送Discover报文Secondelapsed为下一次发送discover报文的时间：46246253T.246B4hChthO47|_2_529-_2^955_pfcChCLQ454口544.397160-0-0.0咛.利仃只耳1n.n.n.cDHCP342DHCPDiscover-Transa匚tionID0xd7a627adDtKP342DMCPDiscover-TrartsactionIDoxdra^zadDHCP342DmCPDi5cover-TrartsactionIDDxd?a627adITHTPHHFP-Tr^r*sflrTinriiTHn^Afq^q?7fiFraimEtheiInreiUserBaorjMeksjigttype；bootRcquesrCl)HsrdwaLretype;Ethernet(OkOI)Hardwareaddresslength:6Heps:0TitansacrlonIDFraimEtheiInreiUserBaorjMeksjigttype；bootRcquesrCl)HsrdwaLretype;Ethernet(OkOI)Hardwareaddresslength:6Heps:0TitansacrlonID：0xd7B627adLt1勺芒匚ciind百 ■芒d:n^tII..Src:50]7bs^d:0031bs0c(SO:?bs9d300:1b:0c)aDst:Braadcas-t{ff3ff:ff:ff3ff:ff3TIE苍Prar00:01Version44SrcsCh0-0-0(ChCLCL0),DSI：：255・255・：255・；255(255.255.2&5u255)□a€agranProtocol,£rcPort:baorp匚(五目)Lt1勺芒匚ciind百 ■芒d:DHCPOffer服务器响应报文DHCP客户端会选择最先接收到的DHCPOffer进行处理，并以广播的形式发送DHCPRequest报文，该报文会加入对应DHCP服务器的地址以及所需要的IPDHCP服务器收到Discover报文后，就会在所配置的地址池中查找一个合适的IP地址，加上相应的租约期限和其他配置信息（如网关、DNS服务器等），构造一个Offer报文，发送给用户，告知用户本服务器可以为其提供IP地址。＜只是告诉client可以提供，是预分配，还需要client通过ARP检测该IP是否重复〉ir1田Frame5斗：工4mtjyrE：sDniaHfe£2丁耳6 342byrE£taptLiF电吕(2726ir1田Frame5斗：工4mtjyrE：sDniaHfe£2丁耳6 342byrE£taptLiF电吕(2726丘1瓷咛)on"InTE『~Fac•己0uelher叮亡1工工」占『€；¥伽迅1‘p一cf:詳：也f口0：0君：？q：广广：理门：斤£\>3InternetProtocolVersion4rS「t; 乳”10(1朋W.1D)；,0航；10E,%監UEBWdOR刁UserOatagraHProtocoleSrcPort:bnotps|<67)tQBootstrapProtocol□st：与c：2b=号cLCupii）：n匚boutpcTfiU协论淵口勿37.68酣为响应|曲越濡求Messagerypei旦ncn: (2)HardereType；trh^rrwi(DxOl)Hardwareaddresslength;6Hops*:QTransacT™ionID:0x00156dle5亡匚onds 0gBoetpflags:OxDOOO(Unicast)匸"l-jiant:IPadd厂ees:ClO・0,D(CkCLCLCQ ；——-—— |tdu「电nt)TP 呂■:ZLKB-弓.弓.ILD2(即&.巴■弓.丄口？)I 口口亡口只購器的I绪客戸粕邙P地址Smac:002c.29cfJ06-£l5D7hgdOa.IbOt3IIP!188.3.3.10目的I巳188.3.3.1D3Nextserverifaddress:0,0,DrD(orQrQ,o>Relayag^entIPaddress；0,0,0.0(D.CKChO〉 I匸TiEirtIMAC初击卒号；$0;比；期；00;lb;Oc(50;『b;9d;00:;lb;0f〕~|——-|5F户議船的凱劉!址C71enrhard^'areaddresspadding:serverliastranienorgivenbodlfil=enarncnorgivenMagiccaakie;DHCP\ 卩曲dhcp毗55臥芒阻Length；1DHCP;OfferC2)Bdpt"ion器［54jDHCP 厂卞芒厂 电『LEngih:4IDU“5^『\吃『工^包门匸!！"j赶「：1：83］監乳10CL垂8■乳3：.10）1FOption;[51JIPAddressLeaseTimel-ajigtilrud IPAddressLeaseTine:(600s>IQminutesdpi："ion:(1)宫口已T啊通5kUriqth：』ffi国ElSubrnetMask:255-^255..tip ~(15^)DamaTTrhameaprian:(3)Rcmrsr-w oprion:(6)DOfflilnserverDHCPRequest客户端回复报文DHCP服务器接收到DHCPRequest报文后，会判断报文中的服务器IP是否与自己相同。如果不同，不做任何处理，只清除相应的IP分配记录；如果相同，服务器会向客户端发送ACK报文，确认可以使用，并且附上相应的租期川552747.159?9.U.U.U1,U352DHCPRequestTransa匚tiionIDQxlS^dlEDHCP56町4Q1I5B4空 ISSTJTJTTKE：~JTiTmTi口Ticmro口HAFfflF PCXPE：匚PEXTiE川552747.159?9.U.U.U1,U352DHCPRequestTransa匚tiionIDQxlS^dlEDHCP56町4Q1I5B4空 ISSTJTJTTKE：~JTiTmTi口Ticmro口HAFfflF PCXPE：匚PEXTiE：匚辺DHCPACK3j4TransiactionIDQxl56dle『芒*匚十dFrame55:35Zbwesonwire(2316bit>Xjibytescaptured(2BL5bixs)oninterfaceDDHCPP55.255.亦⑺5.255.冇乩P55)riboaips-(67)尚未羽到iPH!址客户'蜩Hfttmuuuuuuuuuuuuuuuuuouusss5S目BBBAllrJH3---'IJ®歸DHCPMessageTypeClientidentifierRequestedIPAddressDHCPServerIdenfifierHostNaniieCliemFully-QualifiedDomainiNarfteVendorclassidentifierParameterfteque^tList1遥报文丸广区出£1£1□Bciarsrrapprorocoll(53)C61)C50)CW)(12)(31)(6D)間(255)EndMessaget^pe:Boornequcsr.(1JHardwarerype:EiherneT(OxOljiHardwareaddresslength;五Hops;0TransactionID;0x001SfidleSecondselap&ed:0Eocitpf"IagJ:OicODOClflUrTifast:、clienrIPaddress:□□0.0.05.CLCL0)$Gur~(匚IP耳闵「€宜吕：ChQ.Q-0go-CLD')InterrterProrocolVer^kjrT]4,£rc：!0,0.0.usercaragi1anPiro-rcKoll3NextserverIPaddress:0.0.0.0(D.D.D.D)fte1ayagentIPaddress:!G.Q.0.0(D.D.D.D)|匚1ienrmacaddr#ss750^7b!!00!lb^DeC50i7b!gdiOO:lb":clienrhardwareaaoresspaddlnq：serverhostna»enorgivenBiootfilen^nenorgivenMagiccookie;D*KPOpticn;Option:Option:Option:OptionsOption:Option:Option:□piioni：Etherrtcr11.,|弓「u Th:gKiOO:Hb:D匸｛汨:池辽时泊口：曲羊匚｝,|Dst:Broadcast(ff:ff:ff:ffTff:ff)tpariibooip匚DHCPACK服务器发出的确认报文DHCP客户端接收到ACK信息后，会检查该IP是否能够使用，如果可以就直接使用该IP572750,29759-168.3,3.102255.255^255.255255.255.255.255DHCPDHCPJ4：2DHCPinfom-TransactionIPQi(49f6^5143^2DHCPInfora572750,29759-168.3,3.102255.255^255.255255.255.255.255DHCPDHCPJ4：2DHCPinfom-TransactionIPQi(49f6^5143^2DHCPInfora-TransactlanIDQx49f6d514Frane56:3412byresonwire(2756bits),342bwescaptured<2736bits)oninterfaceoEthernetII,£rc:Vnware_cf!40:64(00：Dc：2g：cf!40!&«),Ck；T!soirbigd^oa^ibia.:(5D!7b：9d：QO：lb![]4：)inTernecproiocolversion4fsre:19fi.3.3.10(10B.3.3.10：1PMT：186/3.3,102Cl88,3.3.IPS)582753・2£6211呂B・2・乳102in5『匚Port;■ Pi田m田User[>atagrai»ProtSEootstrapProtcuzolMessagetvp€：|Ed□亡£皂口~1¥(2〕 $hardwarerype!Ethernet ■匕一Hardware且ddresslengrh:6 極口扌収标4Hopi：0TransactioniID;OjtQOlSGcilE5-£CDiridselaps-ed:0l±Boorpflags!OsDODO(Lin1匚耳吕t)t"ITmint工戸白出弓：CkCkO.◎fikO-O.CI] Ivour1门応曲)hp抑曲已巧：d嗣W.l呢 3门「:1。2)INextserverIPaddress;D-r0.0,0(0.0,0,0)RelayagentIPaddressz0-.0.0-0CO.G-0-0)丼史臣心matftf交目的F1.matserverhostnamenorgivenBootfileniarenotgivenMagiccookie:DHCPOption:(5-3)DHCPMessageTypeflprlon:(54)DhCPserverIdenrifier.oprion:(51)ipAddress-LeaseTime—■—i+i±mlloprIon:⑴subneiMaskvFTk

田Option;Option:Aprion:opriori!padding(15)Dan-ainNaneC3)Routerf* ~(6)DamainNam&server(255)End报丈奘型：ackDMP.8H翳堆址IPW祖IW闫ipie址子銅码路■田I尸-DNSftSDHCPInform客户端确认信息DHCP客户端如果需要从DHCP服务器端获取更为详细的配置信息，则发送Inform报文向服务器进行请求，服务器收到该报文后，将根据租约进行查找，找到相应的配置信息后，发送ACK报文回应DHCP客户端。＜极少用到〉2750.2fl；759|l^.3.3.1022750.2fl；759|l^.3.3.10227S3.m21Hr3.3.1022761.289920.0.0.0『昌r-pfdri-『nii俱ef、件药5J巧，鮎気F55255,255.255.2S5255-255.255.255rrrri-i~-teri-Tti-rDHCPDfrKP剂2xp :Enforml - iranswerIon id 0-x49f6d51ji剂2D*KP Inform - Transactian I& &x4^6d51-4346DHCP Request - Transaction ID 0x9296205fQUserDatagramPraracol?SrcParrQUserDatagramPraracol?SrcParr：!凸白听戸匸〔丘⑪〕・0眈P口尸“c(50:7b:9d^00:1b:0c),Ost:Src^adcast〔ff汁fiff:ff汁f:ff)IBB.1.3.102(IBB.3.3.102),Dsr：|255-255.255.255(255.25i.255.255)Franie：舁；342bytes口口w~i「e：(2了越 342bytescaptured(273首bits)oninterface00Eth-ernetII.5rc:5Ch7b:阳：0。：ib:(田IrrccrnetPro-tqcdIVersion4,Src::曰bodlstrappraTocalMessagelyue:bootRequesr.(1)Hardwaretype;Ethernet(0x01)Hardwar已address1engthi；伍H叩吕：0Transaci:1orID:OK49f6d514Secondselapsed：!0田日巴oupfldig百：cijccicicidfuni匸匕门即]IPailcl『空5：[關门.LICIT〔1$良2・M1CCYaur(client)TPaddress:0.0,0,0CO-r0.0,0)DHCPRequest客户端续租报文DHCP客户端成功获取IP地址后，在地址使用租期过去1/2时，会向DHCP服务器发送单播Request报文续延租期，如果没有收到DHCPACK报文，在租期过去3/4时，发送广播Request报文续延租期。

勺些2丁El・工£■吕专2 ClClip255.255.255.255DHCP346DtKPRequest-TTari5act:ion100xg296ZO5f|602764.366S40.0.0.0^55.255.255.255DHCP346DHCPRequest-Trans-actiionIDOJi3e5dZJfO612767,?27340,0,0,0255-255-355-255DHCP346DHCPRequest-Transa匚iSonID口小记討的622776.5S5100,0,0,0255-255.255.255DHCP346WCPRequest-TTansacfianIDOni3e5d34fORFrame59:3>4tibytesonwire(2768bits),346bytesc-aptured£2768bits)oninterface0QEthierinetIIPSrc:50:7b:3d:0031b:0c(5Q;7bj9d:00:lbsOc)HDsr:Bro-adcasr(ff:ff3ff:ff:ff::ff)l±ImerrietPrarQCDllVereiDn4,£rc：D.Q.a.0(0.D.D-D)?DST!25^.255.255.255(255.255-255.255)田userDatagramprotocol,srcFort:booip-c(68)PD5inori^booips(>67)SBootstrapProtocolDHCPRelease客户端释放IP地址当用户不再需要使用分配IP地址时，就会主动向DHCP服务器发送Release报文，告知服务器用户不再需要分配IP地址，DHCP服务器会释放被绑定的租约。557SD7：EU5TI60,ITT2S13.B45250»0.O.Q'2814.16112IBB.3u3.1D255,155.255,255DHCPDHCPLHrKZP255»255.255.255JL68u3.3.102557SD7：EU5TI60,ITT2S13.B45250»0.O.Q'2814.16112IBB.3u3.1D255,155.255,255DHCPDHCPLHrKZP255»255.255.255JL68u3.3.10234?dhcpRelease|-Transacrionid&M§ccaSc38342DHCPDiscover-TransactionID0x2a75if653342DhCPOffer -