Lab 3 - Analyzing DHCP and ARP with Wireshark

Lab 3 Assignment page on Canvas

Overview

In this lab, we'll further flex our wireshark skills and take closer look at the ARP & DHCP protocols.

There will be multiple correct ways to complete this lab, we highly recommend using search engines to help you find solutions.

Instructions

DHCP

Setup

Stop any ongoing captures and configure a new capture on your wireless interface with capture filter arp || udp portrange 67-68. This filter will prevent Wireshark from capturing excessive amounts of traffic so that we can leave the capture running for the entire lab.

While our current capture should be fairly quiet owing to the previous capture filter, create a display filter to further reduce the number of visible packets (Hint: Type dhcp into the display filter input below the main wireshark toolbar).

At the end of the lab, save your capture and submit it with your assignment.

Request a new DHCP Lease

In order to properly complete this lab, you will need to terminate your current DHCP lease so that you can capture the process of DHCP initializing your network interface. This process will differ depending on your OS.

Follow the instructions linked on the resources site to complete this process.

Report

  1. Based on your capture, create an outline of your complete DHCP exchange. For each message:
    • Include a screenshot of the packet details summary.
    • Include a brief written summary, identifying: DHCP message type, DHCP transaction ID, source and destination Ethernet addresses, source and destination IP addresses, and UDP source and destination UDP ports associated.
  2. How can you determine which messages were sent by your own device versus the DHCP server?
  3. Based on the outline you created above, determine the purpose of the 0.0.0.0 address appearing within the DHCP exchange.
  4. What Ethernet-layer (Layer 2) address corresponds to the 255.255.255.255 (Layer 3) IP address? Using online resources as necessary, determine the purpose of these special addresses.
  5. Which of the fields that you have observed can be used to distinguish between different conversations between the same client and server?

If you look closely at the packet details for each message, you'll notice that each DHCP message contains a variety of options. In DHCP, options allow DHCP clients and servers to adapt the protocol to their own needs. Like many other protocols, DHCP encodes options as a type, a length, and a value. Based on this structure, we can continue to extend the protocol without needing to change the basic foundation.

  1. Using your search engine of choice, identify the IETF RFC (# and name) that defines the common option types for the DHCP protocol.
  2. Which DHCP Option (#) tells us the DHCP message type? How many bytes are required to encode the type?
  3. Which DHCP Option (#) tells us the length of a DHCP lease? How many bytes are required to encode the duration of the lease?
  4. According to the RFC, is it possible to specify the lease length in any unit of time other than seconds?
  5. Compare the Lease Time option of the Discover message with the value in the Offer message. Did your device request a particular duration? If so, did the server honor this request?
  6. Using online resources as needed, determine what happens at the end of a DHCP address lease.
  7. Based on the order of the messages in the capture and the details we've asked you to examine, offer an explanation of how the DHCP protocol works to configure your network interface with appropriate settings. How does the protocol make use of Ethernet and IP broadcast functionality, and why is that important? Use your capture to illustrate your point.

ARP

Setup

You may continue to use the same capture for this section. If you launch a new capture, please save the first capture and submit both with your assignment.

Before you begin the analysis questions, clear the ARP cache per instructions linked on the resources site and generate some Internet traffic, e.g., browse the web.

Remove any existing display filters and create a new filter that will only show ARP related traffic. (Hint: type arp in the display filter input).

Report

  1. Outline a complete ARP exchange (request and response). For each message:
    • Include a screenshot of the packet details summary.
    • Include a brief written summary, identifying: ARP Opcode, Sender and Target Ethernet addresses, Sender and Target IP addresses.
  2. Identify the 48-bit hardware address associated with your network interface and use this information to specify which message(s) originated from your local device?
  3. Determine which messages are sent to a broadcast destination.
  4. Why do you think the ARP protocol makes use of the broadcast destination?
  5. Aside from the broadcast address, what other differences do you notice between the contents of ARP requests and replies?
  6. Spend a moment comparing the overall packet structure (as seen in the Packet Details view) between DHCP and ARP. Identify any layers that are present in one protocol but not in the other.
  7. In order for a network message to be considered an IP packet, the message must contain an Internet Protocol layer that includes an IP header for the rest of the message. Does the ARP protocol use IP packets to communicate?
  8. Describe in your own words how ARP works to allow hosts to communicate in a Layer-2 network based on IP address. Use your capture to illustrate your points.