DHCP: Dynamic Host Configuration Protocol
Contents
Introduction
This tutorial discusses the plugin dhcpDecode.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow dhcpDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAPs used in this tutorial can be downloaded here:
Please save them in your ~/data folder.
Now you are all set for analyzing DHCP traffic!
dhcpDecode
Let’s look at the plugin configuration first:
dhcpDecode
vi src/dhcpDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define DHCPMOTOUT 1 // msg types/options representation: 0: bitfield, 1: numbers, 2: names
#define DHCPOPTMAX 20 // maximum stored options (require DHCPMOTOUT > 0)
#define DHCPMSGMAX 20 // maximum stored message types (require DHCPMOTOUT > 0)
#define DHCPNMMAX 10 // maximal number of domain/host names per flow
#define DHCPMASKFRMT 1 // Netmask representation: 0: hex, 1: IP
#define DHCP_ADD_CNT 0 // Print the number of times a given mac/domain/host appeared
#define DHCP_FLAG_MAC 0 // Store a global mapping IP->MAC and add the source and
// destination MAC address to every flow [EXPERIMENTAL, IPv4 only]
#define DHCP_FM_DEBUG 0 // print debug information about DHCP_FLAG_MAC operations
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
/* No env / runtime configuration flags available for dhcpDecode */
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...DHCPMOTOUT denotes the representation of the message and option types, we leave it at
default, numeric. DHCPMASKFRMT controls the representation of IP’s, as IP string is
fine for now. The hex representation is useful for efficient selection for tawk.
DHCP_ADD_CNT adds a count to mac,domain or host strings.DHCP_FLAG_MAC adds an IP->MAC mapping
to see abnormal host behavior.
So enable the DHCP_FLAG_MAC option, recompile dhcpDecode and tun t2 on the supplied pcap.
t2conf dhcpDecode -D DHCP_FLAG_MAC=1 && t2build dhcpDecode
t2 -r ~/data/dhcp-nanosecond.pcap -w ~/results/ -s
Oups, there is a warning to switch to nano seconds. T2 tells you which action is needed. We ignore it for the time being. If interested look into the tutorial: Timestamp Nano/Micro Seconds.
So what does the aggregated dhcpStat tells us, except that there is indeed
DHCP present? There is a boot request and reply. That seems to be normal.
The dhcpStat column with value 0x0007 is to be interpreted as follows:
bit | dhcpStat | Description
=============================================================================
0 | 0x0001 | DHCP detected
1 | 0x0002 | Boot request
2 | 0x0004 | Boot reply
In the flow file you see all important header and content information, such as a list of options, hosts, timeouts, IPs, servers and messages.
Moreover dhcpLFlow linked flows which helps to extract corresponding reply flows. There is only now dhcpSrcMac, dhcpDstMac pair for
the srcIP, dstIP, as we only have one A, B flow. Try your traffic, and you might see more pairs. What does that mean? Think…
tcol ~/results/dhcp-nanosecond_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto dhcpStat dhcpMType dhcpHWType dhcpCHWAdd dhcpNetmask dhcpGWIP dhcpDnsIP dhcpHopCnt dhcpSrvName dhcpBootFile dhcpOptCnt dhcpOpts dhcpHosts dhcpDomains dhcpMaxSecEl dhcpLeaseT dhcpRenewT dhcpRebindT dhcpReqIP dhcpCliIP dhcpYourIP dhcpNextServer dhcpRelay dhcpSrvId dhcpMsg dhcpLFlow dhcpSrcMac dhcpDstMac
A 1 0x0400000000004000 1102274184.317453 1102274184.387484 0.070031 1 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - "-" 68 255.255.255.255 11 "Broadcast" 67 17 0x0003 1;3 0x0000000000000002 00:0b:82:01:fc:42 0.0.0.0 0.0.0.0 0.0.0.0 0x00000001 "" "" 9 53;61;50;55;54 0 0 0 0 192.168.0.10 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 192.168.0.1 "" 2 00:00:00:00:00:00 00:00:00:00:00:00
A 2 0x0400000000004001 1102274184.317748 1102274184.387798 0.070050 1 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 "Private network" 67 192.168.0.10 07 "Private network" 68 17 0x0005 2;5 0x0000000000000002 00:0b:82:01:fc:42 255.255.255.0 0.0.0.0 0.0.0.0 0x00000001 "" "" 12 53;1;58;59;51;54 0 3600 1800 3150 0.0.0.0 0.0.0.0 192.168.0.10 0.0.0.0 0.0.0.0 192.168.0.1 "" 1 00:00:00:00:00:00 00:0b:82:01:fc:42The packet file shows all important header flags and ID’s, types and options including the flow link, dhcpLFlow.
tcol ~/results/dhcp-nanosecond_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto dhcpStat dhcpMType dhcpHops dhcpHWType dhcpTransID dhcpOpt dhcpLFlow l7Content
1 1 0x0400000000004000 1102274184.317453 0.000000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - - 68 255.255.255.255 11 Broadcast 67 17 0x0003 1 0 1 0x00003d1d 53;61;50;0 ......=..........................B..........................................................................................................................................................................................................c.Sc5..=.......B2.....7....*........
2 2 0x0400000000004001 1102274184.317748 0.000000 0.000000 0.000000 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 Private network 67 192.168.0.10 07 Private network 68 17 0x0005 2 0 1 0x00003d1d 53;1;58;59;51;0 ......=............\n.............B..........................................................................................................................................................................................................c.Sc5........:.....;....N3.....6................................
3 1 0x0400000000004000 1102274184.387484 0.070031 0.000000 0.070031 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - - 68 255.255.255.255 11 Broadcast 67 17 0x0003 3 0 1 0x00003d1e 53;61;50;55;0 2 ......=..........................B..........................................................................................................................................................................................................c.Sc5..=.......B2....\n6.....7....*..
4 2 0x0400000000004001 1102274184.387798 0.070050 0.000000 0.070050 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 Private network 67 192.168.0.10 07 Private network 68 17 0x0005 5 0 1 0x00003d1e 53;1;58;59;51;0 1 ......=............\n.............B..........................................................................................................................................................................................................c.Sc5..:.....;....N3.....6......................................Now download: dhcp-offer-info.pcap, enable type/option names mode, mac counts and IP mac mapping and run t2 on the pcap.
t2conf dhcpDecode -D DHCPMOTOUT=2 -D DHCP_ADD_CNT=1 -D DHCP_FLAG_MAC=1 && t2build dhcpDecode
t2 -r ~/data/dhcp/dhcp-offer-info.pcap -w ~/results... dhcpDecode: Aggregated dhcpStat=0x020d dhcpDecode: Number of DHCP packets: 115 [100.00%] dhcpDecode: Number of DHCP replies: 115 [100.00%] dhcpDecode: Number of DHCP Offer messages: 115 [100.00] ... Number of processed flows: 1 Number of processed A flows: 1 [100.00%] Number of reply flows: 1 [100.00%] Total A/B flow asymmetry: 1.00 Total req/rply flow asymmetry: -1.00 ...
The status tells us that there is only an IP broadcast reply flow and
the extracted are a bit longer than the default values. So you can
increase DHCPMSGMAX, if you like.
The dhcpStat column with value 0x020d is to be interpreted as follows: bit | dhcpStat | Description ============================================================================= 0 | 0x0001 | DHCP detected 2 | 0x0004 | Boot reply 3 | 0x0008 | Broadcast 9 | 0x0200 | Client HW address, domain or host name list truncated... increase DHCPNMMAX
This pcap populates more columns than the previous one. Now you see the decoded option names and the HW addresses, including IP-MAC pairs and counts.
tcol ~/results/dhcp-offer-info_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto dhcpStat dhcpMTypeNms dhcpHWType dhcpCHWAdd_HWCnt dhcpNetmask dhcpGWIP dhcpDnsIP dhcpHopCnt dhcpSrvName dhcpBootFile dhcpOptCnt dhcpOptNms dhcpHosts_HCnt dhcpDomains_DCnt dhcpMaxSecEl dhcpLeaseT dhcpRenewT dhcpRebindT dhcpReqIP dhcpCliIP dhcpYourIP dhcpNextServer dhcpRelay dhcpSrvId dhcpMsg dhcpLFlow dhcpSrcMac dhcpDstMac
A 1 0x0400000000004001 1164749848.757569 1164750588.468833 739.711264 1 3 eth:ipv4:udp 00:01:5c:22:a5:82 ff:ff:ff:ff:ff:ff 0x0800 73.68.136.1 us "Comcast Cable Communications" 67 255.255.255.255 11 "Broadcast" 68 17 0x020d Offer 0x0000000000000002 00:14:bf:97:3c:c8_6;00:15:9a:05:5a:60_6;00:13:71:c3:86:82_1;00:0d:56:de:9f:4a_2;00:14:e8:26:98:a8_1;00:03:2f:21:f9:02_1;00:0f:b5:be:67:8d_1;00:14:22:be:9d:fd_2;00:15:9a:3d:9b:08_3;00:10:a4:92:ca:fe_1 255.255.248.0 73.68.136.1 68.87.66.196 0x00000002 "" "d11_m_sb5100_silver_c02.cm" 1027 "DHCP Msg Type";"DHCP Server Id";"Address Time";"Subnet Mask";"Router";"Domain Server";"Domain Name";"Broadcast Address";"Time Offset";"Log Server";"Bootfile-Name";"Server-Name";"Time Server";"Router Discovery";"Hostname";"PXE/Etherboot/DOCSIS/TFTP" "box"_1;"WGR614v6"_1 "hsd1.ca.comcast.net."_66 0 530983 0 0 0.0.0.0 0.0.0.0 73.68.141.50 68.87.76.15 73.68.136.1 68.87.76.13 "" 0 00:00:00:00:00:00 00:00:00:00:00:00Try to switch DHCPMOTOUT to 0 and look at the bitfields.
Conclusion
Don’t forget to reset the plugin configuration for the next tutorial.
t2conf dhcpDecode --reset && t2build dhcpDecode
Have fun analyzing.