Tutorial: Dynamic Host Configuration Protocol (DHCP)
Contents
This tutorial discusses the plugin dhcpDecode.
Preparation
Before we start we need to prepare T2. If you did not complete the tutorials before just follow the procedure described below.
First I recommend to set T2 into a pristine state by removing all unnecessary or older plugins from the default plugin folder ~/.tranalyzer/plugins. Just as a precaution if you have some old plugins or files there. If you like to keep them, please copy them away.
$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$Then compile the following plugins
$ t2build tranalyzer2 basicFlow dhcpDecode txtSink
...
BUILD SUCCESSFUL
$If you did not create a separate data and results directory yet, please do it now in another cmd window, it facilitates your workflow:
$ mkdir ~/data ~/results
$Download the sample pcap here: dhcp-nanosecond.pcap. Now you’re all set.
dhcpDecode
Let’s look at the plugin configuration first:
$ dhcpDecode
$ vi src/dhcpDecode.h...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define DHCPMOTOUT 1 // msg types/options representation 2: names, 1: numbers, 0: bitfield
#define DHCPOPTMAX 20 // if (DHCPMOTOUT > 0) maximum stored options
#define DHCPMSGMAX 20 // if (DHCPMOTOUT > 0) maximum stored message types
#define DHCPNMMAX 10 // maximal number of domain/host names per flow
#define DHCPMASKFRMT 1 // Netmask representation: 0: hex, 1: IP
#define DHCP_ADD_CNT 0 // Print the number of times a given mac/domain/host appeared
#define DHCP_FLAG_MAC 0 // Store a global mapping IP->MAC and add the source and
// destination MAC address to every flow [EXPERIMENTAL, IPv4 only]
#define DHCP_FM_DEBUG 0 // print debug information about DHCP_FLAG_MAC operations
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...DHCPMOTOUT denotes the representation of the message and option types, we leave it at default, numeric. DHCPMASKFRMT controls the representation of IP’s, as IP string is fine for now. The hex representation is useful for efficient selection for tawk. DHCP_ADD_CNT adds a count to mac,domain or host strings.DHCP_FLAG_MAC adds an IP->MAC mapping to see abnormal host behaviour.
So enable the DHCP_FLAG_MAC option, recompile dhcpDecode and tun t2 on the supplied pcap.
$ t2conf dhcpDecode -D DHCP_FLAG_MAC=1 && t2build dhcpDecode
...
$ t2 -r ~/data/dhcp-nanosecond.pcap -w ~/results/ -s
================================================================================
Tranalyzer 0.8.14 (Anteater), Tarantula. PID: 34938
================================================================================
[INF] Creating flows for L2, IPv4, IPv6
[WRN] PCAP nanosecond-resolution: for improved precision, run 't2conf tranalyzer2 -D B2T_NANOSECS=1 -D TSTAMP_PREC=1 && t2build -R'
Active plugins:
01: basicFlow, 0.8.14
02: dhcpDecode, 0.8.14
03: txtSink, 0.8.14
[INF] IPv4 Ver: 5, Rev: 16122020, Range Mode: 0, subnet ranges loaded: 406105 (406.11 K)
[INF] IPv6 Ver: 5, Rev: 17122020, Range Mode: 0, subnet ranges loaded: 51345 (51.34 K)
Processing file: /home/wurst/data/dhcp-nanosecond.pcap
Link layer type: Ethernet [EN10MB/1]
Dump start: 1102274184.317453 sec (Sun 05 Dec 2004 19:16:24 GMT)
Dump stop : 1102274184.387798 sec (Sun 05 Dec 2004 19:16:24 GMT)
Total dump duration: 0.070345 sec
Finished processing. Elapsed time: 0.000205 sec
Finished unloading flow memory. Time: 0.000261 sec
Percentage completed: 100.00%
Number of processed packets: 4
Number of processed bytes: 1312 (1.31 K)
Number of raw bytes: 1312 (1.31 K)
Number of pcap bytes: 1400 (1.40 K)
Number of IPv4 packets: 4 [100.00%]
Number of A packets: 2 [50.00%]
Number of B packets: 2 [50.00%]
Number of A bytes: 628 [47.87%]
Number of B bytes: 684 [52.13%]
Average A packet load: 314.00
Average B packet load: 342.00
--------------------------------------------------------------------------------
dhcpDecode: Aggregated dhcpStat=0x0007
dhcpDecode: Number of DHCP packets: 4 [100.00%]
dhcpDecode: Number of DHCP queries: 2 [50.00%]
dhcpDecode: Number of DHCP replies: 2 [50.00%]
dhcpDecode: Number of DHCP Discover messages: 1 [25.00%]
dhcpDecode: Number of DHCP Offer messages: 1 [25.00%]
dhcpDecode: Number of DHCP Request messages: 1 [25.00%]
dhcpDecode: Number of DHCP ACK messages: 1 [25.00%]
--------------------------------------------------------------------------------
Headers count: min: 3, max: 3, average: 3.00
Number of UDP packets: 4 [100.00%]
Number of UDP bytes: 1312 (1.31 K) [100.00%]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of processed flows: 2
Number of processed A flows: 2 [100.00%]
Number of request flows: 1 [50.00%]
Number of reply flows: 1 [50.00%]
Total A/B flow asymmetry: 1.00
Total req/rply flow asymmetry: 0.00
Number of processed packets/flows: 2.00
Number of processed A packets/flows: 1.00
Number of processed total packets/s: 56.86
Number of processed A+B packets/s: 56.86
Number of processed A packets/s: 28.43
Number of processed B packets/s: 28.43
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Number of average processed flows/s: 28.43
Average full raw bandwidth: 149207 b/s (149.21 Kb/s)
Average full bandwidth : 149207 b/s (149.21 Kb/s)
Max number of flows in memory: 2 [0.00%]
Memory usage: 0.02 GB [0.02%]
Aggregated flowStat=0x0400000000004000
[INF] IPv4 flows
$Oups, there is a warning to switch to nano seconds. T2 tells you which action is needed. We ignore it for the time being. If interested look into the tutorial: Timestamp Nano/Micro Seconds.
So what does the aggregated dhcpStat tells us, except that there is indeed DHCP present? There is a boot request and reply. That seems to be normal.
$ tawk -V dhcpStat=0x0007The dhcpStat column with value 0x0007 is to be interpreted as follows:
bit | dhcpStat | Description
=============================================================================
0 | 0x0001 | DHCP detected
1 | 0x0002 | Boot request
2 | 0x0004 | Boot replyIn the flow file you see all important header and content information, such as a list of options, hosts, timeouts, IPs, servers and messages. Moreover dhcpLFlow linked flows which helps to extract corresponding reply flows. There is only onw dhcpSrcMac, dhcpDstMac pair for the srcIP, dstIP, as we only have one A, B flow. Try your traffic, and you might see more pairs. What does that mean? Think…
$ cd ~/results
$ tcol dhcp-nanosecond_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto dhcpStat dhcpMType dhcpHWType dhcpCHWAdd dhcpNetmask dhcpGWIP dhcpDnsIP dhcpHopCnt dhcpSrvName dhcpBootFile dhcpOptCnt dhcpOpts dhcpHosts dhcpDomains dhcpMaxSecEl dhcpLeaseT dhcpRenewT dhcpRebindT dhcpReqIP dhcpCliIP dhcpYourIP dhcpNextServer dhcpRelay dhcpSrvId dhcpMsg dhcpLFlow dhcpSrcMac dhcpDstMac
A 1 0x0400000000004000 1102274184.317453 1102274184.387484 0.070031 1 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - "-" 68 255.255.255.255 11 "Broadcast" 67 17 0x0003 1;3 0x0000000000000002 00:0b:82:01:fc:42 0.0.0.0 0.0.0.0 0.0.0.0 0x00000001 "" "" 9 53;61;50;55;54 0 0 0 0 192.168.0.10 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 192.168.0.1 "" 2 00:00:00:00:00:00 00:00:00:00:00:00
A 2 0x0400000000004001 1102274184.317748 1102274184.387798 0.070050 1 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 "Private network" 67 192.168.0.10 07 "Private network" 68 17 0x0005 2;5 0x0000000000000002 00:0b:82:01:fc:42 255.255.255.0 0.0.0.0 0.0.0.0 0x00000001 "" "" 12 53;1;58;59;51;54 0 3600 1800 3150 0.0.0.0 0.0.0.0 192.168.0.10 0.0.0.0 0.0.0.0 192.168.0.1 "" 1 00:00:00:00:00:00 00:0b:82:01:fc:42The packet file shows all important header flags and ID’s, types and options including the flow link, dhcpLFlow.
$ cd ~/results
$ tcol dhcp-nanosecond_packets.txt
%pktNo flowInd flowStat time pktIAT pktTrip flowDuration numHdrs hdrDesc ethVlanID srcMac dstMac ethType srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto dhcpStat dhcpMType dhcpHops dhcpHWType dhcpTransID dhcpOpt dhcpLFlow l7Content
1 1 0x0400000000004000 1102274184.317453 0.000000 0.000000 0.000000 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - - 68 255.255.255.255 11 Broadcast 67 17 0x0003 1 0 1 0x00003d1d 53;61;50;0 ......=..........................B..........................................................................................................................................................................................................c.Sc5..=.......B2.....7....*........
2 2 0x0400000000004001 1102274184.317748 0.000000 0.000000 0.000000 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 Private network 67 192.168.0.10 07 Private network 68 17 0x0005 2 0 1 0x00003d1d 53;1;58;59;51;0 ......=............\n.............B..........................................................................................................................................................................................................c.Sc5........:.....;....N3.....6................................
3 1 0x0400000000004000 1102274184.387484 0.070031 0.000000 0.070031 3 eth:ipv4:udp 00:0b:82:01:fc:42 ff:ff:ff:ff:ff:ff 0x0800 0.0.0.0 - - 68 255.255.255.255 11 Broadcast 67 17 0x0003 3 0 1 0x00003d1e 53;61;50;55;0 2 ......=..........................B..........................................................................................................................................................................................................c.Sc5..=.......B2....\n6.....7....*..
4 2 0x0400000000004001 1102274184.387798 0.070050 0.000000 0.070050 3 eth:ipv4:udp 00:08:74:ad:f1:9b 00:0b:82:01:fc:42 0x0800 192.168.0.1 07 Private network 67 192.168.0.10 07 Private network 68 17 0x0005 5 0 1 0x00003d1e 53;1;58;59;51;0 1 ......=............\n.............B..........................................................................................................................................................................................................c.Sc5..:.....;....N3.....6......................................Now download: dhcp-offer-info.pcap, enable type/option names mode, mac counts and IP mac mapping and run t2 on the pcap.
$ t2conf dhcpDecode -D DHCPMOTOUT=2 -D DHCP_ADD_CNT=1 -D DHCP_FLAG_MAC=1 && t2build dhcpDecode
...
$ t2 -r ~/data/dhcp/dhcp-offer-info.pcap -w ~/results
...
dhcpDecode: Aggregated dhcpStat=0x020d
dhcpDecode: Number of DHCP packets: 115 [100.00%]
dhcpDecode: Number of DHCP replies: 115 [100.00%]
dhcpDecode: Number of DHCP Offer messages: 115 [100.00]
...
Number of processed flows: 1
Number of processed A flows: 1 [100.00%]
Number of reply flows: 1 [100.00%]
Total A/B flow asymmetry: 1.00
Total req/rply flow asymmetry: -1.00
...
$The status tells us that there is only an IP broadcast reply flow and the extracted are a bit longer than the default values. So you can increase DHCPMSGMAX, if you like.
$ tawk -V dhcpStat=0x020d
The dhcpStat column with value 0x020d is to be interpreted as follows:
bit | dhcpStat | Description
=============================================================================
0 | 0x0001 | DHCP detected
2 | 0x0004 | Boot reply
3 | 0x0008 | Broadcast
9 | 0x0200 | Client HW address, domain or host name list truncated... increase DHCPNMMAX
This pcap populates more columns than the previous one. Now you see the decoded option names and the HW addresses, including ip-mac pairs including counts.
$ tcol dhcp-offer-info_flows.txt
%dir flowInd flowStat timeFirst timeLast duration numHdrDesc numHdrs hdrDesc srcMac dstMac ethType ethVlanID srcIP srcIPCC srcIPOrg srcPort dstIP dstIPCC dstIPOrg dstPort l4Proto dhcpStat dhcpMTypeNms dhcpHWType dhcpCHWAdd_HWCnt dhcpNetmask dhcpGWIP dhcpDnsIP dhcpHopCnt dhcpSrvName dhcpBootFile dhcpOptCnt dhcpOptNms dhcpHosts_HCnt dhcpDomains_DCnt dhcpMaxSecEl dhcpLeaseT dhcpRenewT dhcpRebindT dhcpReqIP dhcpCliIP dhcpYourIP dhcpNextServer dhcpRelay dhcpSrvId dhcpMsg dhcpLFlow dhcpSrcMac dhcpDstMac
A 1 0x0400000000004001 1164749848.757569 1164750588.468833 739.711264 1 3 eth:ipv4:udp 00:01:5c:22:a5:82 ff:ff:ff:ff:ff:ff 0x0800 73.68.136.1 us "Comcast Cable Communications" 67 255.255.255.255 11 "Broadcast" 68 17 0x020d Offer 0x0000000000000002 00:14:bf:97:3c:c8_6;00:15:9a:05:5a:60_6;00:13:71:c3:86:82_1;00:0d:56:de:9f:4a_2;00:14:e8:26:98:a8_1;00:03:2f:21:f9:02_1;00:0f:b5:be:67:8d_1;00:14:22:be:9d:fd_2;00:15:9a:3d:9b:08_3;00:10:a4:92:ca:fe_1 255.255.248.0 73.68.136.1 68.87.66.196 0x00000002 "" "d11_m_sb5100_silver_c02.cm" 1027 "DHCP Msg Type";"DHCP Server Id";"Address Time";"Subnet Mask";"Router";"Domain Server";"Domain Name";"Broadcast Address";"Time Offset";"Log Server";"Bootfile-Name";"Server-Name";"Time Server";"Router Discovery";"Hostname";"PXE/Etherboot/DOCSIS/TFTP" "box"_1;"WGR614v6"_1 "hsd1.ca.comcast.net."_66 0 530983 0 0 0.0.0.0 0.0.0.0 73.68.141.50 68.87.76.15 73.68.136.1 68.87.76.13 "" 0 00:00:00:00:00:00 00:00:00:00:00:00Try to switch DHCPMOTOUT to 0 and look at the bitfields.
Don’t forget to reset the plugin configuration for the next tutorial.
$ t2conf dhcpDecode --reset && t2build dhcpDecode
...
$Have fun analyzing.