DHCP protocol dump

De Wiki do Bernardino
Ir para: navegação, pesquisa

Usando o "tcpdump"

É possivel visualizar o conteúdo dos pacotes associados ao protocolo DHCP através da utilização do comando "tcpdump" da forma:

# tcpdump -lenx -i eth1 -s 1500 port bootps or port bootpc

O resultado é qualquer coisa como:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 1500 bytes
14:51:24.662067 00:30:05:a7:2f:9d > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 192.168.90.61.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:30:05:a7:2f:9d, length 300
  0x0000:  4500 0148 15f2 0000 8011 08ce c0a8 5a3d
  0x0010:  ffff ffff 0044 0043 0134 6ddf 0101 0600
  0x0020:  6766 740f 0000 8000 c0a8 5a3d 0000 0000
  0x0030:  0000 0000 0000 0000 0030 05a7 2f9d 0000
  0x0040:  0000 0000 0000 0000 0000 0000 0000 0000
  0x0050:  0000 0000 0000 0000 0000 0000 0000 0000
  0x0060:  0000 0000 0000 0000 0000 0000 0000 0000
  0x0070:  0000 0000 0000 0000 0000 0000 0000 0000
  0x0080:  0000 0000 0000 0000 0000 0000 0000 0000
  0x0090:  0000 0000 0000 0000 0000 0000 0000 0000
  0x00a0:  0000 0000 0000 0000 0000 0000 0000 0000
  0x00b0:  0000 0000 0000 0000 0000 0000 0000 0000
  0x00c0:  0000 0000 0000 0000 0000 0000 0000 0000
  0x00d0:  0000 0000 0000 0000 0000 0000 0000 0000
  0x00e0:  0000 0000 0000 0000 0000 0000 0000 0000
  0x00f0:  0000 0000 0000 0000 0000 0000 0000 0000
  0x0100:  0000 0000 0000 0000 6382 5363 3501 083d
  0x0110:  0701 0030 05a7 2f9d 0c06 5332 3338 3235
  0x0120:  3c08 4d53 4654 2035 2e30 370d 010f 0306
  0x0130:  2c2e 2f1f 2179 f92b fcff 0000 0000 0000
  0x0140:  0000 0000 0000 0000

O que nem sempre é compreensivel.

Usando "dhcpdump"

Para conter uma linguagem mais compreensível devemos usar o dhcpdump, que normalmente é nessário instalar, por não fazer parte do pacote base das distribuições.

Em debien poderá instalar através de:

# apt-get install dhcpdump

ou

# yum install dhcpdump

Para realizar a monitorização de pacotes do interface eth0:

# dhcpdump -i eth0

Temos como resultado:

  TIME: 2013-10-07 15:02:52.346
    IP: 192.168.90.51 (0:24:81:c5:37:68) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)
    OP: 1 (BOOTPREQUEST)
 HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 0
   XID: f4e5a080
  SECS: 0
 FLAGS: 0
CIADDR: 192.168.90.51
YIADDR: 0.0.0.0
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: 00:24:81:c5:37:68:00:00:00:00:00:00:00:00:00:00
 SNAME: .
 FNAME: .
OPTION:  53 (  1) DHCP message type         8 (DHCPINFORM)
OPTION:  61 (  7) Client-identifier         01:00:24:81:c5:37:68
OPTION:  12 (  6) Host name                 x26546
OPTION:  60 (  8) Vendor class identifier   MSFT 5.0
OPTION:  55 ( 12) Parameter Request List      1 (Subnet mask)
					     15 (Domainname)
					      3 (Routers)
					      6 (DNS server)
					     44 (NetBIOS name server)
					     46 (NetBIOS node type)
					     47 (NetBIOS scope)
					     31 (Perform router discovery)
					     33 (Static route ) 
					    249 (MSFT - Classless route)  
					     43 (Vendor specific info)
 					    252 (MSFT - WinSock Proxy Auto Detect)
					    
OPTION:  43 (  3) Vendor specific info      dc0100           .. .
--------------------------------------------------------------------------- 

  TIME: 2013-10-07 15:02:52.358
    IP: 192.168.1.220 (0:a:e4:1:3a:b7) > 192.168.90.51 (0:24:81:c5:37:68)
    OP: 2 (BOOTPREPLY)
 HTYPE: 1 (Ethernet)
  HLEN: 6
  HOPS: 1
   XID: f4e5a080
  SECS: 0
 FLAGS: 0
CIADDR: 192.168.90.51
YIADDR: 0.0.0.0
SIADDR: 192.168.1.220
GIADDR: 192.168.90.240
CHADDR: 00:24:81:c5:37:68:00:00:00:00:00:00:00:00:00:00
 SNAME: .
 FNAME: .
OPTION:  53 (  1) DHCP message type         5 (DHCPACK)
OPTION:  54 (  4) Server identifier         192.168.1.220
OPTION:   1 (  4) Subnet mask               255.255.255.0
OPTION:  15 ( 14) Domainname                cp.transnet.pt
OPTION:   3 (  4) Routers                   192.168.90.240
OPTION:   6 (  8) DNS server                192.168.1.8,192.168.1.120
OPTION:  44 (  8) NetBIOS name server       192.168.1.8,192.168.1.120
OPTION:  46 (  1) NetBIOS node type         8 (H-node)
---------------------------------------------------------------------------

Agora sim podemos analisar com mais facilidade o funcionamento do protocolo DHCP.