Analyzing Dhcp Process with Wireshark When There is Relay Agent

by: George El., February 2019, Reading time: 2 minutes

In this post, I will analyze the dhcp process, when the dhcp server is not on the local locan, but on a remote lan. As we saw on the previous posts, dhcp packets are sent as broadcasts. Broadcasts by default do not leave the local lan. So what happens when you want to have a centralised dhcp server? In this case, you must configure the local router as a dhcp relay agent.

The ip helper-address command configures the device as a DHCP relay agent. The DHCP relay agent forwards DHCP requests and replies between clients and servers when they are not on the same physical subnet. In the following figure, we have configured R1 as a dhcp server and R2 as a dhcp relay agent. In this case R2 forwards dhcp packets from client PC-1 to R1 and from R1 to PC. The dhcp server could be many hops away. It wouldn’t make any difference. You just use one hop for simplicity reasons.

You can download the pcap files from here and here

if you want to see a larger version of the image, do right click, open in new tab

dhcp relay agent

The configuration of R2 is:

dhcp relay agent

The configuration of R1 is:

dhcp relay agent

We enable dhcp on PC-1 with the command ip dhcp

We see it sends two discover messages, it receives an offer, sends a request, and finally gets an ack

dhcp relay agent

Lets see what happens on wireshark

dhcp relay agent

The capture between the switch and the R2 shows the following: PC is unaware that the dhcp server is on a remote lan. It behaves as normally. Sends as broadcast a discover message. Receives an offer, broadcasts a request, and receives an ack. Wait a sec. You see that the offer is unicast. Shouldn’t be broadcast? The answer is that it can be either broadcast or unicast. The client will accept an ip packet that matches its L2 address, even though it has not yet an ip address configured. Clients that have this ability will send a broadcast with BOOTP flags set to 0 which indicates Unicast, while if it set to 1 it indicates Broadcast. However the final decision is up to server.

bootp flag 0

bootp flag

bootp flag 1 from previous post

bootp flag

From RFC 2131
Normally, DHCP servers and BOOTP relay agents attempt to deliver DHCPOFFER, DHCPACK and DHCPNAK messages directly to the client using unicast delivery.

The capture between R1 and R2 shows the following. R2 receives the broadcasts and sends them as unicasts R1.

dhcp relay agent

comments powered by Disqus