1
00:00:03,260 --> 00:00:09,010
Okay so let's have a look at Wireshark, now before getting into the nitty-gritty.

2
00:00:09,060 --> 00:00:15,840
I want to show you a really nice option in Wireshark. Notice here we have messages, discover, offer, request

3
00:00:15,870 --> 00:00:19,490
and acknowledgement. In Wireshark

4
00:00:19,680 --> 00:00:28,020
you can go to the statistics menu and click flow graph and you can see messages being sent on the network.

5
00:00:28,040 --> 00:00:33,750
I'm gonna limit this to the filter which at the moment is DHCP

6
00:00:33,890 --> 00:00:38,700
And notice what you can see in the output here.

7
00:00:38,950 --> 00:00:41,830
Make this a bit smaller so I can zoom in.

8
00:00:41,890 --> 00:00:51,090
Notice we've got DHCP discover with this transaction I.D. ending in C3.

9
00:00:51,190 --> 00:00:52,360
Here's an offer.

10
00:00:52,640 --> 00:00:56,380
Here's a request and here's an acknowledgement.

11
00:00:56,440 --> 00:01:00,540
This shows graphically the process of how the client,

12
00:01:00,550 --> 00:01:08,320
notice there is no IP address here sends a broadcast message 255.255.255.255 trying to discover

13
00:01:09,010 --> 00:01:10,540
DHCP servers on the network.

14
00:01:10,570 --> 00:01:12,160
So it's saying, who's out there?

15
00:01:12,190 --> 00:01:17,350
I need an IP address the DHCP server offers an IP address to the client.

16
00:01:17,370 --> 00:01:23,620
There may be multiple DHCP serves on the network so the DHCP service that receive these discover messages

17
00:01:23,620 --> 00:01:26,210
will offer IP addresses to the client.

18
00:01:26,320 --> 00:01:29,680
The client will then request one of those IP addresses.

19
00:01:29,950 --> 00:01:35,880
In this example is only one DHB server so it's only going to request the IP address from that DHB server

20
00:01:36,160 --> 00:01:41,640
but if there were multiple DHCP servers in the network it would request an IP address from one of them.

21
00:01:41,650 --> 00:01:50,260
Typically the first one to offer an IP address and then the DHCP server will acknowledge that request.

22
00:01:50,260 --> 00:01:57,160
This is a great option in Wireshark you can graphically see discover, offer, request, and acknowledgement.

23
00:01:57,460 --> 00:02:01,090
Again discover try and discover DHCP servers on the network.

24
00:02:01,090 --> 00:02:04,300
DHCP server will offer an IP address to the client.

25
00:02:04,420 --> 00:02:10,960
The client will then accept that offer and request the IP address from that DHCP server and the DHCP server

26
00:02:11,050 --> 00:02:17,150
will acknowledge that request. Now notice in the Wireshark capture

27
00:02:17,180 --> 00:02:26,000
I've got a DHCP discover, DHCP offer, DHCP request, and DHCP acknowledgment, notice the IP address on DHCP

28
00:02:26,150 --> 00:02:28,400
Discover there is no IP address.

29
00:02:28,610 --> 00:02:38,820
It's sending a message to a broadcast address, so the PC is trying to discover a DHCP server on the Internet.

30
00:02:38,870 --> 00:02:49,050
Notice the MAC address ends in 80b0 going back to my PC notice MAC address ends in 80b0.

31
00:02:49,540 --> 00:02:56,800
So this message is being sent from that Windows PC we can also see that by looking at the client identifier.

32
00:02:56,830 --> 00:03:06,050
Notice MAC address their message type is DHCP discover the PC is trying to discover a DHCP server

33
00:03:06,210 --> 00:03:10,450
and as mentioned notice, it's requesting to use this IP address.

34
00:03:10,450 --> 00:03:16,750
The reason for that is because once again the PC used that IP address previously and is trying to get

35
00:03:16,780 --> 00:03:18,450
the same IP address.

36
00:03:18,580 --> 00:03:22,530
If a new device boots up it won't do that and I'll show you that in a moment

37
00:03:22,780 --> 00:03:26,640
but because this MSEDGEWIN10

38
00:03:26,700 --> 00:03:33,130
PC previously was allocated this IP address it's simply requesting the same IP address again.

39
00:03:33,160 --> 00:03:38,620
Notice you can see under hostname the name of this window's PC once again

40
00:03:38,620 --> 00:03:40,710
there it is on the windows host.

41
00:03:40,870 --> 00:03:51,260
So in windows and in Wireshark, so first step is Discover, PC is trying to discover the DHCP server.

42
00:03:51,260 --> 00:03:55,760
Now, this IP address once again 10.1.1.254 is the DHCP server.

43
00:03:55,760 --> 00:04:03,290
In our example, this is the router, router is configured with this IP address. So the router replies back

44
00:04:04,470 --> 00:04:10,680
to a broadcast address because the client doesn't have an IP address yet. It can't send a message to an

45
00:04:10,680 --> 00:04:17,100
IP address because the client doesn't have an IP address. So broadcasts saying your IP address is this

46
00:04:17,519 --> 00:04:23,420
so your client IP address is this, your client MAC address remember ending an 80b0.

47
00:04:23,550 --> 00:04:26,130
That is the MAC address of this windows

48
00:04:26,140 --> 00:04:30,920
PC so that MAC address will get this IP address.

49
00:04:31,170 --> 00:04:32,110
Option 53,

50
00:04:32,110 --> 00:04:40,300
this is an offer from this DHCP server I'll just jump back for a moment.

51
00:04:40,320 --> 00:04:48,140
Notice the protocol used here is UDP from source port 68 to destination port 67.

52
00:04:48,630 --> 00:04:53,910
but here we're using DHCP which uses UDP.

53
00:04:53,910 --> 00:04:58,950
In this example, source port is 67 going to destination port 68

54
00:04:58,950 --> 00:05:07,380
and again the server with this identifier is allocating an IP address to the client with a lease time

55
00:05:07,410 --> 00:05:08,680
of one day.

56
00:05:08,760 --> 00:05:11,550
It needs to renew after 12 days

57
00:05:11,550 --> 00:05:18,920
as I said previously typically after half the lease period clients will be told to renew. Notice subnet

58
00:05:18,920 --> 00:05:20,810
mask default gateway

59
00:05:20,870 --> 00:05:28,460
Option 3 here default gateway or router DNS server option 6 and option 15 is domain name.

60
00:05:28,910 --> 00:05:33,570
So that's the offer from the DHCP server to the client.

61
00:05:33,770 --> 00:05:39,800
The client then requests that IP address the reason why is we could have multiple servers offering IP

62
00:05:39,800 --> 00:05:42,870
addresses to the client and it needs to request one of them.

63
00:05:42,920 --> 00:05:48,520
So you could have two DHCP servers offering IP addresses to the client it needs to choose one typically

64
00:05:48,530 --> 00:05:51,120
chooses the one that replied first.

65
00:05:51,140 --> 00:05:58,890
So going up notice its UDP source port 68 going to 67 MAC address is the client.

66
00:05:59,850 --> 00:06:01,720
It's a request.

67
00:06:01,920 --> 00:06:09,600
So we're requesting that this MAC address use this IP address the IP address that was offered by the

68
00:06:09,900 --> 00:06:17,170
server. So back again notice the server offered that IP address to the client and that's the IP address

69
00:06:17,170 --> 00:06:23,490
the client is requesting to use. So requested IP address is this from this DHCP server

70
00:06:23,530 --> 00:06:31,110
this is my hostname. Because this is Windows that asks for NetBIOS old protocol ask for other information

71
00:06:31,110 --> 00:06:33,960
such as private classless static route et. cetera

72
00:06:34,170 --> 00:06:37,870
and then lastly the server acknowledges that request.

73
00:06:38,040 --> 00:06:42,460
So UDP source port 67 to port 68

74
00:06:42,660 --> 00:06:46,570
the service saying I acknowledge this as your IP address

75
00:06:46,680 --> 00:06:48,460
this is your MAC address.

76
00:06:48,510 --> 00:06:53,780
It's an acknowledgment and then similar kind of information is displayed once again.

77
00:06:53,820 --> 00:06:56,860
So notice we have four messages here.

78
00:06:57,030 --> 00:07:01,110
Discover, offer, request, and acknowledgement.

79
00:07:01,220 --> 00:07:01,430
Okay

80
00:07:01,440 --> 00:07:07,960
So that's a Wireshark let's have a look on the router.

81
00:07:08,050 --> 00:07:11,950
So again this is the MAC address of our client.

82
00:07:11,950 --> 00:07:21,690
This is the IP address that it got from the DHCP server, on the router now show IP DHCP bindings. 

83
00:07:21,730 --> 00:07:33,570
Notice this MAC address was allocated this IP address automatically show IP DHCP server statistics.

84
00:07:34,000 --> 00:07:38,200
We can see as an example that we have one address pool.

85
00:07:38,560 --> 00:07:41,400
There's been five discovered messages were received.

86
00:07:41,400 --> 00:07:47,860
There's been 12 DHCP requests and 3 offers, and 5 acknowledgments a bunch of stuff has been

87
00:07:47,860 --> 00:07:49,890
going on in the background here.

88
00:07:51,390 --> 00:07:56,910
Most important command here is typically binding so that you can see which client received which IP

89
00:07:56,910 --> 00:07:58,280
address.

90
00:07:58,320 --> 00:08:00,930
Okay, so I have got a Linux host here.

91
00:08:00,930 --> 00:08:10,290
I'll start this Linux host up go back into Wireshark and what you'll see is we've got a bunch of DHCP

92
00:08:10,290 --> 00:08:11,460
messages now.

93
00:08:11,910 --> 00:08:18,600
What I can do very nicely in Wireshark is do a filter so that I only see one host.

94
00:08:18,660 --> 00:08:28,260
Notice this MAC address here ends in C 955 that is the MAC address of the Linux client

95
00:08:30,960 --> 00:08:34,820
we can see as an example that this Linux client has obtained this IP address.

96
00:08:34,980 --> 00:08:42,900
IF config, because this is Linux, shows me IP address shows me the MAC address ending in C955.

97
00:08:43,590 --> 00:08:46,880
In Wireshark I could actually add this as a filter.

98
00:08:47,760 --> 00:08:51,240
So add this as and select it.

99
00:08:51,240 --> 00:08:59,380
So this changes the Wireshark filter to only show me that PC rather than the windows

100
00:08:59,390 --> 00:09:04,260
PC. So I'm only seeing the messages from that Linux client.

101
00:09:04,260 --> 00:09:08,040
So notice here's a Discover message sent out a broadcast.

102
00:09:08,130 --> 00:09:11,220
This is the offer from the DHCP server.

103
00:09:11,220 --> 00:09:14,290
Here's a request and here's an acknowledgement.

104
00:09:14,350 --> 00:09:18,680
So if we look at the Discover message notice it doesn't have an IP address.

105
00:09:18,720 --> 00:09:26,700
It's sending out a broadcast with its MAC address trying to discover DHCP server it wants various parameters

106
00:09:26,700 --> 00:09:38,050
including NTP. The DHCP server replies back with an offer offering this IP address 10.1.1.1 to this client

107
00:09:38,710 --> 00:09:44,010
DHCP servers this again lease time, renewal time.

108
00:09:44,040 --> 00:09:52,020
Other information is displayed so on the client I can see that it got given this IP address by the DHCP

109
00:09:52,020 --> 00:10:01,080
server it requested that IP address so request of this IP address and the DHCP server acknowledged that

110
00:10:01,110 --> 00:10:02,310
3IP address.

111
00:10:02,310 --> 00:10:05,040
Okay so that was quite a detailed video.

112
00:10:05,260 --> 00:10:10,690
I hope after this video you really understand how DHB works.