Tutorial: Dynamic Host Configuration Protocol (DHCP)
DHCP layer 7Contents
Introduction
This tutorial discusses the plugin dhcpDecode.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build tranalyzer2 basicFlow dhcpDecode txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The sample PCAPs used in this tutorial can be downloaded here:
Please save them in your ~/data folder.
Now you are all set for analyzing DHCP traffic!
dhcpDecode
Let’s look at the plugin configuration first:
dhcpDecode
vi src/dhcpDecode.h
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define DHCPMOTOUT 1 // msg types/options representation 2: names, 1: numbers, 0: bitfield
#define DHCPOPTMAX 20 // if (DHCPMOTOUT > 0) maximum stored options
#define DHCPMSGMAX 20 // if (DHCPMOTOUT > 0) maximum stored message types
#define DHCPNMMAX 10 // maximal number of domain/host names per flow
#define DHCPMASKFRMT 1 // Netmask representation: 0: hex, 1: IP
#define DHCP_ADD_CNT 0 // Print the number of times a given mac/domain/host appeared
#define DHCP_FLAG_MAC 0 // Store a global mapping IP->MAC and add the source and
// destination MAC address to every flow [EXPERIMENTAL, IPv4 only]
#define DHCP_FM_DEBUG 0 // print debug information about DHCP_FLAG_MAC operations
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...DHCPMOTOUT denotes the representation of the message and option types, we leave it at default, numeric. DHCPMASKFRMT controls the representation of IP’s, as IP string is fine for now. The hex representation is useful for efficient selection for tawk. DHCP_ADD_CNT adds a count to mac,domain or host strings.DHCP_FLAG_MAC adds an IP->MAC mapping to see abnormal host behavior.
So enable the DHCP_FLAG_MAC option, recompile dhcpDecode and tun t2 on the supplied pcap.
t2conf dhcpDecode -D DHCP_FLAG_MAC=1 && t2build dhcpDecode
t2 -r ~/data/dhcp-nanosecond.pcap -w ~/results/ -s================================================================================ Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 34938 ================================================================================ [INF] Creating flows for L2, IPv4, IPv6 [WRN] PCAP nanosecond-resolution: for improved precision, run 't2conf tranalyzer2 -D B2T_NANOSECS=1 -D TSTAMP_PREC=1 && t2build -R' Active plugins: 01: basicFlow, 0.8.14 02: dhcpDecode, 0.8.14 03: txtSink, 0.8.14 [INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K) [INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K) Processing file: /home/wurst/data/dhcp-nanosecond.pcap Link layer type: Ethernet [EN10MB/1] Dump start: 1102274184.317453 sec (Sun 05 Dec 2004 19:16:24 GMT) Dump stop : 1102274184.387798 sec (Sun 05 Dec 2004 19:16:24 GMT) Total dump duration: 0.070345 sec Finished processing. Elapsed time: 0.000205 sec Finished unloading flow memory. Time: 0.000261 sec Percentage completed: 100.00% Number of processed packets: 4 Number of processed bytes: 1312 (1.31 K) Number of raw bytes: 1312 (1.31 K) Number of pcap bytes: 1400 (1.40 K) Number of IPv4 packets: 4 [100.00%] Number of A packets: 2 [50.00%] Number of B packets: 2 [50.00%] Number of A bytes: 628 [47.87%] Number of B bytes: 684 [52.13%] Average A packet load: 314.00 Average B packet load: 342.00 -------------------------------------------------------------------------------- dhcpDecode: Aggregated dhcpStat=0x0007 dhcpDecode: Number of DHCP packets: 4 [100.00%] dhcpDecode: Number of DHCP queries: 2 [50.00%] dhcpDecode: Number of DHCP replies: 2 [50.00%] dhcpDecode: Number of DHCP Discover messages: 1 [25.00%] dhcpDecode: Number of DHCP Offer messages: 1 [25.00%] dhcpDecode: Number of DHCP Request messages: 1 [25.00%] dhcpDecode: Number of DHCP ACK messages: 1 [25.00%] -------------------------------------------------------------------------------- Headers count: min: 3, max: 3, average: 3.00 Number of UDP packets: 4 [100.00%] Number of UDP bytes: 1312 (1.31 K) [100.00%] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of processed flows: 2 Number of processed A flows: 2 [100.00%] Number of request flows: 1 [50.00%] Number of reply flows: 1 [50.00%] Total A/B flow asymmetry: 1.00 Total req/rply flow asymmetry: 0.00 Number of processed packets/flows: 2.00 Number of processed A packets/flows: 1.00 Number of processed total packets/s: 56.86 Number of processed A+B packets/s: 56.86 Number of processed A packets/s: 28.43 Number of processed B packets/s: 28.43 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Number of average processed flows/s: 28.43 Average full raw bandwidth: 149207 b/s (149.21 Kb/s) Average full bandwidth : 149207 b/s (149.21 Kb/s) Max number of flows in memory: 2 [0.00%] Memory usage: 0.02 GB [0.02%] Aggregated flowStat=0x0400000000004000 [INF] IPv4 flows
Oups, there is a warning to switch to nano seconds. T2 tells you which action is needed. We ignore it for the time being. If interested look into the tutorial: Timestamp Nano/Micro Seconds.
So what does the aggregated dhcpStat tells us, except that there is indeed DHCP present? There is a boot request and reply. That seems to be normal.
The dhcpStat column with value 0x0007 is to be interpreted as follows:
bit | dhcpStat | Description
=============================================================================
0 | 0x0001 | DHCP detected
1 | 0x0002 | Boot request
2 | 0x0004 | Boot reply
In the flow file you see all important header and content information, such as a list of options, hosts, timeouts, IPs, servers and messages. Moreover dhcpLFlow linked flows which helps to extract corresponding reply flows. There is only now dhcpSrcMac, dhcpDstMac pair for the srcIP, dstIP, as we only have one A, B flow. Try your traffic, and you might see more pairs. What does that mean? Think…
tcol ~/results/dhcp-nanosecond_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto dhcpStat dhcpMType dhcpHWType dhcpCHWAdd dhcpNetmask dhcpGWIP dhcpDnsIP dhcpHopCnt dhcpSrvName dhcpBootFile dhcpOptCnt dhcpOpts dhcpHosts dhcpDomains dhcpMaxSecEl dhcpLeaseT dhcpRenewT dhcpRebindT dhcpReqIP dhcpCliIP dhcpYourIP dhcpNextServer dhcpRelay dhcpSrvId dhcpMsg dhcpLFlow dhcpSrcMac dhcpDstMac
A 1 0x0400000000004000 1102274184.317453 1102274184.387484 0.070031 1 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - "-" 68 255.255.255.255 11 "Broadcast" 67 17 0x0003 1;3 0x0000000000000002 00:0b:82:01:fc:42 0.0.0.0 0.0.0.0 0.0.0.0 0x00000001 "" "" 9 53;61;50;55;54 0 0 0 0 192.168.0.10 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 192.168.0.1 "" 2 00:00:00:00:00:00 00:00:00:00:00:00
A 2 0x0400000000004001 1102274184.317748 1102274184.387798 0.070050 1 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 "Private network" 67 192.168.0.10 07 "Private network" 68 17 0x0005 2;5 0x0000000000000002 00:0b:82:01:fc:42 255.255.255.0 0.0.0.0 0.0.0.0 0x00000001 "" "" 12 53;1;58;59;51;54 0 3600 1800 3150 0.0.0.0 0.0.0.0 192.168.0.10 0.0.0.0 0.0.0.0 192.168.0.1 "" 1 00:00:00:00:00:00 00:0b:82:01:fc:42The packet file shows all important header flags and ID’s, types and options including the flow link, dhcpLFlow.
tcol ~/results/dhcp-nanosecond_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto dhcpStat dhcpMType dhcpHops dhcpHWType dhcpTransID dhcpOpt dhcpLFlow l7Content
1 1 0x0400000000004000 1102274184.317453 0.000000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - - 68 255.255.255.255 11 Broadcast 67 17 0x0003 1 0 1 0x00003d1d 53;61;50;0 ......=..........................B..........................................................................................................................................................................................................c.Sc5..=.......B2.....7....*........
2 2 0x0400000000004001 1102274184.317748 0.000000 0.000000 0.000000 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 Private network 67 192.168.0.10 07 Private network 68 17 0x0005 2 0 1 0x00003d1d 53;1;58;59;51;0 ......=............\n.............B..........................................................................................................................................................................................................c.Sc5........:.....;....N3.....6................................
3 1 0x0400000000004000 1102274184.387484 0.070031 0.000000 0.070031 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - - 68 255.255.255.255 11 Broadcast 67 17 0x0003 3 0 1 0x00003d1e 53;61;50;55;0 2 ......=..........................B..........................................................................................................................................................................................................c.Sc5..=.......B2....\n6.....7....*..
4 2 0x0400000000004001 1102274184.387798 0.070050 0.000000 0.070050 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 Private network 67 192.168.0.10 07 Private network 68 17 0x0005 5 0 1 0x00003d1e 53;1;58;59;51;0 1 ......=............\n.............B..........................................................................................................................................................................................................c.Sc5..:.....;....N3.....6......................................Now download: dhcp-offer-info.pcap, enable type/option names mode, mac counts and IP mac mapping and run t2 on the pcap.
t2conf dhcpDecode -D DHCPMOTOUT=2 -D DHCP_ADD_CNT=1 -D DHCP_FLAG_MAC=1 && t2build dhcpDecode
t2 -r ~/data/dhcp/dhcp-offer-info.pcap -w ~/results... dhcpDecode: Aggregated dhcpStat=0x020d dhcpDecode: Number of DHCP packets: 115 [100.00%] dhcpDecode: Number of DHCP replies: 115 [100.00%] dhcpDecode: Number of DHCP Offer messages: 115 [100.00] ... Number of processed flows: 1 Number of processed A flows: 1 [100.00%] Number of reply flows: 1 [100.00%] Total A/B flow asymmetry: 1.00 Total req/rply flow asymmetry: -1.00 ...
The status tells us that there is only an IP broadcast reply flow and the extracted are a bit longer than the default values. So you can increase DHCPMSGMAX, if you like.
The dhcpStat column with value 0x020d is to be interpreted as follows: bit | dhcpStat | Description ============================================================================= 0 | 0x0001 | DHCP detected 2 | 0x0004 | Boot reply 3 | 0x0008 | Broadcast 9 | 0x0200 | Client HW address, domain or host name list truncated... increase DHCPNMMAX
This pcap populates more columns than the previous one. Now you see the decoded option names and the HW addresses, including IP-MAC pairs and counts.
tcol ~/results/dhcp-offer-info_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto dhcpStat dhcpMTypeNms dhcpHWType dhcpCHWAdd_HWCnt dhcpNetmask dhcpGWIP dhcpDnsIP dhcpHopCnt dhcpSrvName dhcpBootFile dhcpOptCnt dhcpOptNms dhcpHosts_HCnt dhcpDomains_DCnt dhcpMaxSecEl dhcpLeaseT dhcpRenewT dhcpRebindT dhcpReqIP dhcpCliIP dhcpYourIP dhcpNextServer dhcpRelay dhcpSrvId dhcpMsg dhcpLFlow dhcpSrcMac dhcpDstMac
A 1 0x0400000000004001 1164749848.757569 1164750588.468833 739.711264 1 3 eth:ipv4:udp 00:01:5c:22:a5:82 ff:ff:ff:ff:ff:ff 0x0800 73.68.136.1 us "Comcast Cable Communications" 67 255.255.255.255 11 "Broadcast" 68 17 0x020d Offer 0x0000000000000002 00:14:bf:97:3c:c8_6;00:15:9a:05:5a:60_6;00:13:71:c3:86:82_1;00:0d:56:de:9f:4a_2;00:14:e8:26:98:a8_1;00:03:2f:21:f9:02_1;00:0f:b5:be:67:8d_1;00:14:22:be:9d:fd_2;00:15:9a:3d:9b:08_3;00:10:a4:92:ca:fe_1 255.255.248.0 73.68.136.1 68.87.66.196 0x00000002 "" "d11_m_sb5100_silver_c02.cm" 1027 "DHCP Msg Type";"DHCP Server Id";"Address Time";"Subnet Mask";"Router";"Domain Server";"Domain Name";"Broadcast Address";"Time Offset";"Log Server";"Bootfile-Name";"Server-Name";"Time Server";"Router Discovery";"Hostname";"PXE/Etherboot/DOCSIS/TFTP" "box"_1;"WGR614v6"_1 "hsd1.ca.comcast.net."_66 0 530983 0 0 0.0.0.0 0.0.0.0 73.68.141.50 68.87.76.15 73.68.136.1 68.87.76.13 "" 0 00:00:00:00:00:00 00:00:00:00:00:00Try to switch DHCPMOTOUT to 0 and look at the bitfields.
Conclusion
Don’t forget to reset the plugin configuration for the next tutorial.
t2conf dhcpDecode --reset && t2build dhcpDecode
Have fun analyzing.