DHCP in action

understanding Dynamic Host Configuration Protocol

This page is a brief look into into DHCP, Dynamic Host Configuration Protocol, as I needed it to get Winroute firewall configured, in particular the rules regarding incoming and outgoing connections, to make sure that DHCP - Dynamic Host Configuration protocol - would still function after I set up the firewall.
To do so, we'll look at the contents of the ethernet frames that pass when DHCP is at work.

DHCP is a protocol for dynamic configuration of network hosts. It stands for Dynamic Host Configuration Protocol. DHCP is used to assign an IP address to a computer and pass other network information to it, such as a subnet mask, and important addresses such as DNS server address, standard gateway address, and so on.

What makes DHCP a bit more difficult to grasp, is the fact that, before a host obtains an IP address, it does not have an IP address. So it must be hard to send information to it. Also, the rest of the network configuration is still incomplete, so the host will probably not even know who to ask for an IP address.

So, there most be other mechanisms to overcome this problem. 'Broadcast' is a message that is send to a group of computers. In an IP address range, the highest address is the broadcast address : if you have a subnet with addresses such as and the subnet mask is, then the range goes from to is then the broadcast address.

Under the IP layer, where IP adresses are at play, other protocols are at work to transfer data frames from node to node on the network. Since we're in a situation where we have no IP address yet, it is obvious that these protocols will play an important role.

PPP, point to point protocol, is a datalink protocol (or, in the TCP/IP reference model : a host-to-network protocol) that handles dial-in connections, such as a modem connection to an internet provider. During the exchange of PPP packets, right after the modem has connected to your ISP's modem bank, your login is checked with PAP or CHAP (authentication methods : Pasword Authentication or Challenge Handshake Authentication), and then your computer requests a 'network configuration' and is given an IP address in return. Other network configuration data, such as IP addresses of DNS servers etc, can be provided as well. Once you have this information, IP can work with the IP addresses as if your modem was an ethernet network card.

For network adapters, similar protocols exist. Ethernet has it's own addressing scheme, based on the network adapters MAC address. Each network adapter has it's unique number written in its chips. Cable modems also have MAC addresses. ARP, Address Resolution Protocol, can be used to find the MAC address from a known IP address, while DHCP will assign an IP address to a given MAC address.

To see DHCP at work, you can run a packet capturing program (packet sniffer) while your PC requests an IP address from a DHCP server. You can also use a packet filtering firewall that is set up to allow everything to pass, but log all packets.

What follows is exactly that : a packet capture of a DHCP request and its follow up, in order to see what kind of packets pass back and forth. Tools that were uses to produce this output, were

Understanding DHCP is necessary if you want to configure a packet filtering firewall to connect a network or a computer to the internet. Unless you're paying for a static IP address, your internet service provider will assign a dynamic IP address, i.e an IP address assigned to you by the ISP's DHCP server. If that communication is not allowed to pass through the firewall, you'll never get your network connected to the internet.

So here goes ...

The DHCP client sends out an Ethernet broadcast. It contains no IP source address (obviously there isn't one), and shows as IP destination address : any address. It further contains the following information :

Frame 1 (342 bytes on wire, 342 bytes captured)

Ethernet II, Src: 00:10:5a:48:4a:d0, Dst: ff:ff:ff:ff:ff:ff
    Destination: ff:ff:ff:ff:ff:ff (Broadcast)
    Source: 00:10:5a:48:4a:d0 (
    Type: IP (0x0800)

Internet Protocol, Src Addr: (, Dst Addr: (

    Destination: (

User Datagram Protocol, Src Port: 68 (68), Dst Port: bootp (67)
    Source port: 68 (68)
    Destination port: bootp (67)

Bootstrap Protocol
    Message type: Boot Request (1)
    Hardware type: Ethernet
    Client IP address: (
    Your (client) IP address: (
    Next server IP address: (
    Relay agent IP address: (
    Option 55: Parameter Request List
        1 = Subnet Mask
        15 = Domain Name
        3 = Router
        6 = Domain Name Server
        44 = NetBIOS over TCP/IP Name Server
        46 = NetBIOS over TCP/IP Node Type
        47 = NetBIOS over TCP/IP Scope
        43 = Vendor-Specific Information
        77 = User Class Information
    End Option

BOOTP - Boot strap protocol - is a somewhat older protocol, originally used to boot from a remote host. DHCP is kind of an extension to BOOTP.

A DHCP server, listening on port 67; will receive the broadcast and will send back an ethernet frame to the given MAC address. Inside the frame, there's information such as

Frame 2 (345 bytes on wire, 345 bytes captured)

Ethernet II, Src: 02:00:00:00:00:00, Dst: 00:10:5a:48:4a:d0
User Datagram Protocol, Src Port: bootp (67), Dst Port: 68 (68)
    Source port: bootp (67)
    Destination port: 68 (68)
    Length: 311
    Checksum: 0x5478 (correct)

Bootstrap Protocol
    Message type: Boot Reply (2)
    Hardware type: Ethernet
    Bootp flags: 0x0000 (Unicast)
    Client IP address: (
    Your (client) IP address: 
    Next server IP address: (
    Relay agent IP address: (
    Client hardware address: 00:10:5a:48:4a:d0
    Server host name not given
    Boot file name not given
    Magic cookie: (OK)
    Option 53: DHCP Message Type = DHCP Offer
    Option 54: Server Identifier =
    Option 51: IP Address Lease Time = 1 hour, 55 minutes, 47 seconds
    Option 1: Subnet Mask =
    Option 58: Renewal Time Value = 57 minutes, 53 seconds
    Option 59: Rebinding Time Value = 1 hour, 41 minutes, 18 seconds
    Option 15: Domain Name = "pandora.be"
    Option 6: Domain Name Server
        IP Address:
        IP Address:
    Option 3: Router =
    End Option

The DHCP client, listening on port 68, now has received enough information to configure the network card. Aparently, this is information is not yet used, because the DHCP request is repeated, by broadcast. The first broadcast was rather to 'discover' a DHCP server, and when a DHCP server sends a reply, the client broadcasts a DHCP request (frame 3). The DHCP server replies (frame 4).

note that at least one packet (frame) has to go out and one has to come in before either the IP address of thge DHCP server or the IP address of the DHCP client are known. An IP packet filter firewall therefore will need to allow

Next, the default router needs to update its routing tables to include the new host IP address. A message 'Who has Tell' is sent, and replied to (telling the router the MAC address of Then a ICMP (internet control message) is send to the router.

Next, the DNS servers are informed about the new host on the network so that they can update their records.

To configure a packet filtering firewall that allows DHCP with an external DHCP server, the following rules will need to be considered :

still working on it

Koen Noens
July 2003