Analyzing Dhcp Process With Wireshark

by: George El., February 2019, Reading time: 2 minutes

In this post, I will analyze the dhcp process using wireshark. Before I begin a few things to note. On windows if you do an ipconfig /release the pc will not go through the entire dhcp process and most likely will send a request, requesting the same ip address. to force the whole process you have to do, net stop dhcp. net start dhcp.

The pc in the beginning has no ip address, so it broadcasts a dhcp discover message with hardware destination address FF:FF:FF:FF:FF:FF and destination IP 255.255.255.255. It also uses udp protocol ports 67 and 68.

you can download the file from here. or you can do right click open in new tab to see full size picture

wireshark capture

If there is a server in the local lan, it will reply with a dhcp offer, offering an IP address to the client. the offer is still broadcast, since the pc has still no ip address. (there are cases where you can see a unicast. this depends on how your dhcp router/server is configured).

wireshark capture

The pc will receive the offer, and send a request, again as broadcast. If it receives more than one offer, then usually, it accepts the first one.

wireshark capture

Finally, the server will send an acknowledgement.

wireshark capture

the whole process is also known as DORA, from Discover, Offer, Request, Ack

comments powered by Disqus