DHCP报文精细分析_加上抓包

1、DHCP报文精细分析_加上抓包开始抓报文时首先执行的 IPCONFIG/RELEASE命令的作用是用来释放 IP,这条报文后 面分析，在释放Ip后执行的更新IP命令IPCONFIG/RENEW将发起一个DHCP过程，分析从 这里开始。现在，客户机没有地址，它就会发出一个DHCPDiscover报文，该报文是广播报文，所有的具有DHCP Server功能的服务器都会收到该报文。-I User Ddtagrdn PratoLul, Src. Purt; buotpc (665, Bit Fort;t67source port: bootpcDstirtatior port: hootps (67

2、Length： 306d chcksun: 0x27 5 3al i dation d1 sab ldjGood dhecksun: FalitBad Checksum! False3 Bootstrap ProtocolLypt: &ix)t Hcqueht (1)Hardwar rypei trhcrnTHardware acdrcss lengTh: 6Mop5: 0Transactior io： Ox5Cd8$alOseconds elapscd: 0ud aooip flags: OkQOOC Cunlcist) Client IP address: 192,L6.1.102 (19

3、2A68-1.1D2J Your (client) IP flddrfss: 0,0,0,0 (0.0 client Prewarpadding? ooooaooooooooaoaoooo erver host name net giver booi file fine ixjc givenMagic cwkifl: (OK)0 option: t-5J, 1 -1) oikp Messaqe Typt 二 DHCP Releasein optlont Smiler hoa-t ruse rot 0DOt tile n*ne not Haqic 444*1: (Ok) Opfiar : :t-

4、S3 1-1 j- OpHan； ft三OprlflP： TtlEnd 口ptisnCliwt Kac Address1 g-rnaisf7：iee-ibi ?o；firalif? efb cllw! hr-CkhVtp唧dii甲；曲mMMOOWOCWMWgivengivenDHCP Mrr5nage- Type QmCF ftelEASt 卅* 理r穴identifier =1.1ClitriT 1ainrifi.tr2、DHCP discover报文使用的 Broadcasts口. fliclwkw*|vaUa4rian aMla4jgR ggu” FA1 5e (J昶 thelhw &1

5、|$电1!Mra-iage tjnpc; B(Mrt ftequiest (.!Hirniri Ryp: tihvnic.Hrthaara adrirass. Inngth: GHCp% ClTrtiK-Fl44i m： #K7Ul47d5Kond5 dapped. 0 b刪。OmMOOClirnr IP deb-qs; O； D O(n fl. 00)riK： Addrsssi _u. Tl: il.bi C.-C;fl jdif7；M：b()w tcHentJ IP 制尹 E； Q. O n 0. 0 (0 0. 0. Oji !NK Hrwr A IMidrOH： 60.比0 0. Da

6、.01 DJ Ml ay aqfirr ZP sdresr 0-0, a D !.O. . 0, 0J client cllsm5t vf hcrT - .=ire rm flf nerHie -tin e apLlcnI Qpt 1 g i e opr 1 on:Tveri1HP Htia jg* T rpe IXF DI 3-c.o-. cr C l lent idam1?1*rMquA5E4d SV Ml苗* , l&lr 1 .U-5aal-di(t-so.I-j)HIDS.E MJHfl ME H - SDBr4ilD411-4) irftiW弭“Ci-55S1-12) pararr

7、eitr squ-PEC list5、hd 如 t HkF面的这是 UDP的这上的DHCP,客户端发启的 bootpc端口是68,目标端口是67些oyiw port; boctpf (百E)2%电PrutoccM.占匚 Port; buotpc.方) ttst Port: bootpsi 06丫)MT1 rat Ian pore bcotpf CJiLmgch： JOfichecksum： s4bf9di cabledGood Chedksum: F alseuadi dhcksuM： f-ail ie3、DHCP offer报文（cisco用单播来实现）Tp-link使用的是组播实现Lh4

8、cKcAj* i $甘旳 EdraldlliMfltrap PTMjHAJICh*ck?UH- FlfJBo-Dtira Prcrt ccol冃jrdtajr* Addr langth E朋訴；0TrifrsaciTcti iu 0s?i9JMci轧eE曲 cll tpad： 0 S-QttTp Flgq旷 Ov-VTOO BFmdc$nTCltmc 2P fdtirus; Q.Q0Q 仇66 0vfliir (cHwiO 庐阳!t： ci.D.a.D (a-0.0,a)NtiaTIF AJdra&S . Q ,O.COP 0 . Q.Rdl jy 艺阳厂1!： if adrus . 0.0.

9、D.Q CO-O.O.D3c1iw w 4dres$. -Q.ri.ai;T7；i#；ti5 理汁T賢曲# elfew hardware address p-MldTa： oomoooooomow 5er wer boat fw Et nH*肿(pa f i 1 和昨 wt-Magic 匚k1e:(M)Cc-Uj-1) yu 爭他1* bptIdFj* opclon _l opt 5ar. .1。歼伽-* Dpclor- 世Opt *-* Ojnr!ba ML*d 11 WE：Rsqpfi&TAd zp 4ddrss iU.i*6B.l.idL2OttCF 5, U)T (client E 甘

10、期 HZ liM 1.14? USE-1 Mi.1,12J FIT3* 4dFrV7- 0i 1-0 0Q)當agerr IF aridrea;： 0.i.Q Q0 0.Ch 011 亠时佃 ?Orfl(?0 11 Ak iflM 停wrdwarp adiius hhUh: QtOMlHMXSaMWmHn lir*ir 0宅-nlrw! notKam F j la n na* -f 4vmi*B!C wdd : (*K)i直贰制！欣-刃】*1AC*吨INgr TjflW * PF 屮世 ttajpti-wi; tt-Val-J.) OhCF Server Ide1tii: flOdt Rafi

11、 y (2) Hfrw?F *wrI* iKi也灵 im.lM r 1H fl畀wtit 弓灯洛IF *ddrc: *0 (LO (fljD 0.0) iwldiy Aiint t* iddras& 2 6. .9.0 (l.C. G.0)icll*nc *M adar.$:rr? 4.Jbi p&if 1 sFT：*#；bfclicinc bivJnar- XdQ% pdd1r*ig- a&DDGOOaDOOOOOCMMlQOD j#*bir hast HiiM nai gtwBoat Filt- nawe nan dtvwi*(rc c cdki e ： (Cs-.1 fcian:(貞八赵

12、ckf 桂決*軒 哼斛 -ec*k cpx 1 on.Ct-54b1*J ef 乂mzdanclT1r 1A2.1.1出 邙tl曲肌 tE-Slfe14i IP Adititt LMla* fl* * 3 ihourh Optmn;-右屛己時“為工费a Opt inn: (t-3,1-43 im.WlJL (ipipn-Omin 删时 Jip-Mir Ifr? 1W.1-1End apclomFbddlngDHCP客户端发起的就 UDP 68端口，而 DHCP server发起的是67的端口。1客户端发出的IP租用请求报文：dhcpdiscover: 此为client开始DHCP过程中的第一个

13、请 求报文DHCP客户机初如化 TCP/IP,通过UDP端口 68向网络中发送一个 DHCP DISCOVER请求租用IP地址。该广播包中的源IP地址为0.0.0.0，目标IP地址为255.255.255.255 ;包中还包含客户机的 MAC地址和计算机名。41417 BL. aasssi255.255DKP CrCP D15CCT.6T - Transaciion ID Qx7L35dTda Boot str ap ProtocolMessage type: Boot Request (1)Hardware type: EthernetHardware address length; 6Ho

14、ps: 0Transact1on ID： 0x71936d7dEeconds 1apsed: 0+ Bootp flags: OxBOOO Eroad匚ast)匚1ienr ip address:0,0.0 (0* 0.0.0)your (cHent) IP address: 0,0, 0, 0 0.0. 0. 0匸 server IP address: 0.0.0.0 (0.0.0)Relay agent lp address: 0.O.Q,0 (Q.0.0.0) client mac address: 70:fl:al:f7:ee:b5 (70:fl:al:f7:ee:b5 cl lent

15、 hardware Address padding: 00000000000000OOOOOO Server host name not givenBoot file name not givenMagic cookie: (OK option:dhcp Message Type - dh匚卩 oiscoveroption: (53) DHCP Message TypeLengrh; 1value： 01Fi opti on: (t=6L j l=-7) client i dnt If i erOption: (6L) Client identifierL电ngth: 7value： 017O

16、F1a1F7eeb5Hrdware type: Ethernetclient mac address: 70:fl;al:f7;ee;b5 (70 :fl:al:f7；ee；b5)a option: (t=5O,l=4) Requested ip Address = 192,16&.1.102option： (50) Requested ip AddressLength: 4Vlue： C0A8Q1&6B option: (t=12 J-15) Host Name - win-S0B4B461OA11 option: (12) Host NameLength： 15value: 57494E2

17、D$34F42343a3436114F4131Fi option: (t=6Of 1=B? vendor class identifier = r,M5FT 5.Qoption; 60) vendor cl ass identifierLength: 8value: 4D5345542O352E3O-i option:(1=55,1=12) Para产Etmr Request Listoption: (55) Parameter Reque&T ListLength: 12i- option: Ct=S5,l=12) Parameter Request List opti on: (55) P

18、arameter Request Li st Length: 12 Value： D1OFO3C62C2E2F1FZ179F92B1 - subnet Maik15 = DDinai n Name3 = Router6 = Domai n Name server44 = NetBIOS over tcp/ip Name server46 = Neteros over tcp-ip Node Type4= = MetBLOS over TCP IP 5匚ope31 = Perform Router Discover33 statlc Route121 = classless static Rou

19、te249 = Pri vane /c 1 assless STatnc Route crosof t)43 = vendar-5pecifiic informati onEnd option2 DHCP回应的IP租用提供报文：dhepoffer:此为server 对dhcpdiscover 报文的响应报文任何接收到DHCPDISCOVER广播包并且能够提供 IP地址的DHCP服务器，都会通过 UDP 67 给客户机回应一个 DHCPOFFER广播包，提供一个 IP地址。该广播包的源 IP地址为DHCP服务器IP，目标IP地址为255.255.255.255 ;包中还包含提供的IP地址、子网掩

20、 码，网关，DNS及租期等信息。44la2.1C5.1.1aiS.ZSS-JSI- J55exp CHCP art er - Trans actionOxTigZSdTdS Bootstrap Protocol Message typ: Boot Reply 2) Mar d?;are type: ET her net Hard?/rm address 1 ength: 6 Hops; 0 Transaction 10： 0x71936d7d seconds elapsed: 0 + Bootp flags: 0x8000 (Broadcast) Clienr HP address: 0.0.

21、0.0 CO.0.0.0) vour (cllent? IP address： 192,163,1.10? (192.l&B.1.102 Next server IP address: Q+ 0.0.0 (Q+ 0.0.0) Relay agent IP address: 0.0.0.0 (0.0.0.0) cli ent MAC address: 70:fl:al if7:ee:b5 (70:fl:al:f7:e:b5) C1ienr hardware address padding: 00000000000000000000 ver host name not gi ven Boor fi

22、le name not given Magic cookie: (OK)3 Opti on; (t=53, =1 DHCP Mesidge Type = DhCP Off arOptJ an: f53) DHCF es sage TypeLength: 1Value: 02-Opt i on :DI4C3 Server Tdcntif i er = 192.1.1Option:) DHCP Server Tdenfifi rLength: 4valufc: COA3D101- dpi i cn: t=5L|- IP address Lease Ti mt = 2 hoursOption: (5

23、1) if Addr ess Lease Ki meLength: 4Value： 00031C20-：Option:-l*1=d) Subnet k = 255*255.255*0optinn: 1) SLihrer 阳衣Length; 4value; ffffffqo= opii an ; (t=3f 1 =4) Router = 192*1 庁吕 Woption: (3) RouterLength: 4value:匚OA3D101=option: (r-6, l=i) nnnwi n Nan*1 sprvpr - lfl2.168,1.1Option: C6) nonsin Nn? sp

24、rverLength: 4valuff： COA30101End aptionPadding3客户选择IP租用报文：dheprequst :此为client对dihepoffer报文的响应客户机从不止一台 DHCP服务器接收到提供之后，会选择第一个收到的DHCPOFFEF包，并向网络中广播一个 DHCPREQUES消息包，表明自己已经接受了一个DHCP服务器提供的IP地址。该广播包中包含 所接爱的IP地址和服务器的IP地址。所有其他的 DHCP 服务器撤消它们的提供以便将IP地址提供下一次IP租用请求。HCF DHCP RE-QU&EI - ITSitlACT TOO Ei Gootp fl

25、as: 0x8&00 (Broadcasttin ent IP addr ess: ClO.DO (0.0. 0 0)Your (cl n ent ip address : 0. 000 (0 0.0+0Next server IP address: 0.0-0.0 (0.0,0.0)Rel ay agerrt TP address: 0. 0_ 0.0 (0. 0.0.0)ell ent mac adetres-s : 70:fl: al:f7: ee: b5:fl：al:f 7 :ee:b5)Client hardware address paddi ng: 00OOOOOOOOOCOOO

26、OOOOO server host name not givenBoot file name notMagi 匚 cooki e : (ok) 田 option: (T=53JL) 1+ Option: (t61,1-7) i option； (1=50, W) i+ option： (1=54,1=1)givendhcp Message Type = dhcp RequestCl lent identifierrequested ip Address = L921WS1102hcp server iderrfi fier = 192-168.1.1F Option : (t=12 J=15J Host Name = 11WIN-5OB4610Alr, i+ option: (t=&l J=18 cl 1 ent Ful ly Qual ifl ed Dcmiain Name 1+ opr i an : (1=60,1-&) vend or class identif 1 er = mmsft 5.0 i+ opt ion : (1 = 55,1=12 Pa