Lab 6-1: Using Sniffers-DHCP Example

Most UNIX systems use the Internet Standards Consortium (ISC) DHCP package, which includes these tools:

  • A DHCP server (dhcpd)

  • A DHCP client (dhclient)

  • A DHCP relay agent (dhcrelay)

  • The dhcping and dhcdump utilities

DHCP relays are necessary when the DHCP server does not reside on the same subnet as the DHCP client. The package can be retrieved from

In this lab, we will observe a typical client/server session to practice with the protocol analyzers described in this chapter. Figure 6-14 shows the lab setup for the DHCP scenario.

Figure 6-14. DHCP Lab Scenario

[View full size image]

The ISC DHCP package keeps track of leases in /var/db/dhcpd.leases and consists of two configuration files:

  • /etc/dhcpd.conf

  • /etc/dhclient.conf

This package offers a variety of options and features, much more than can be covered in this lab. The example configurations in this chapter are provided without comments; consult the manual pages and package documentation for further details. The package sources contain all relevant RFCs and draft proposals.

Example 6-10 shows an example of the UNIX dhcpd configuration; Example 6-11 shows the start procedure for a particular interface.

Example 6-10. Castor /etc/dhcpd.conf

[root@castor:~#] cat /etc/dhcpd.conf


ddns-update-style ad-hoc;

subnet netmask {


  option routers;

  default-lease-time 600;

  max-lease-time 7200;

  option domain-name-servers,;


Example 6-11. Starting the DHCP Daemon

[root@castor:~#] dhcpd -cf /etc/dhcpd.conf -lf /var/db/dhcpd.leases ed0

This setup was tested with a Windows XP notebook. Example 6-12 shows the resulting sniffer output on castor, and Example 6-13 shows the corresponding log entries. In Example 6-13, you can also observe the initial lease and the result of the Windows command sequences ipconfig /release and ipconfig /renew.

Example 6-12. Sniffing the DHCP Dialogue

[root@castor:~#] tethereal ?i ed0

0.000000 -> castor DHCP DHCP Request  - Transaction ID 0xe9603354

0.015647 castor -> DHCP DHCP ACK      - Transaction ID 0xe9603354

6.196025 -> castor DHCP DHCP Release  - Transaction ID 0xdc19cc67

Example 6-13. DHCP Daemon Operation Logs in the /var/db/dhcpd.leases File

[root@castor:~#] cat /var/db/dhcpd.leases

lease {

  starts 1 2002/11/25 10:44:45;

  ends 1 2002/11/25 10:54:45;

  binding state active;

  next binding state free;

  hardware ethernet 08:00:46:64:74:1b;              # initial lease

  uid "\001\010\000Fdt\033";

  client-hostname "pollux";


lease {

  starts 1 2002/11/25 10:44:45;

  ends 1 2002/11/25 10:44:52;                       # release

  tstp 1 2002/11/25 10:44:52;

  binding state free;

  hardware ethernet 08:00:46:64:74:1b;

  uid "\001\010\000Fdt\033";


lease {

  starts 1 2002/11/25 10:45:06;

  ends 1 2002/11/25 10:55:06;

  binding state active;                             # renew

  next binding state free;

  hardware ethernet 08:00:46:64:74:1b;

  uid "\001\010\000Fdt\033";

  client-hostname "pollux";


Now we will configure a DHCP server on a Cisco router (scar) and request and release a DHCP address from a UNIX client workstation (castor). The corresponding client configuration is shown in Example 6-14, the corresponding server configuration in Example 6-15. Examples 6-16 and 6-17 show the resulting protocol dialogue and statistics, including a release request and completion.

Example 6-14. /etc/dhclient.conf on Castor

[root@castor:~#] cat /etc/dhclient.conf

request subnet-mask, broadcast-address, time-offset, routers,

        domain-name, domain-name-servers, host-name;

require subnet-mask, domain-name-servers;

timeout 60;

retry 60;

reboot 10;

select-timeout 5;

initial-interval 2;

script "/etc/dhclient-script";

media "-link0 -link1 -link2", "link0 link1";


Example 6-15. Cisco DHCP Server Configuration

scar# show running-config



ip dhcp excluded-address

ip dhcp excluded-address


ip dhcp pool LAN






Example 6-16. DHCP Client Request

[root@castor:~#] tethereal -i ed0

 15.654523 -> DHCP DHCP Discover - Transaction ID 0xaf358d15

 17.657345 ->  DHCP DHCP Offer    - Transaction ID 0xaf358d15

 18.837461 -> DHCP DHCP Request  - Transaction ID 0xaf358d15

 18.845023 ->  DHCP DHCP ACK      - Transaction ID 0xaf358d15

[root@castor:~#] dhclient ed0

[root@castor:~#] dhclient ?r

[root@castor:~#] cat /var/db/dhclient.leases

lease {

  interface "ed0";


  medium "-link0 -link1 -link2";

  option subnet-mask;

  option routers;

  option dhcp-lease-time 86400;

  option dhcp-message-type 5;

  option domain-name-servers;

  option dhcp-server-identifier;

  option dhcp-renewal-time 43200;

  option dhcp-rebinding-time 75600;

  renew 2 2002/11/26 22:59:31;

  rebind 2 2002/11/26 22:59:31;

  expire 2 2002/11/26 22:59:31;


Example 6-17. Cisco DHCP Server-Side Statistics

scar# show ip dhcp binding

IP address       Hardware address        Lease expiration        Type      5254.05e3.e488          Mar 02 1993 01:28 AM    Automatic

scar# show ip dhcp server statistics

Memory usage         13270

Address pools        1

Database agents      0

Automatic bindings   1

Manual bindings      0

Expired bindings     0

Malformed messages   0

Message              Received

BOOTREQUEST          0


DHCPREQUEST          1

DHCPDECLINE          0

DHCPRELEASE          1

DHCPINFORM           4

Message              Sent

BOOTREPLY            0

DHCPOFFER            1

DHCPACK              1

DHCPNAK              0


dhcping is a DHCP client tool that can be deployed to monitor a DHCP server. It is based on DHCP_INFORM, DHCP_REQUEST, and DHCP_RELEASE packets. Consult the man page dhcping(8) for further details.