Dynamic Host Configuration Protocol (DHCP) is the protocol that provides you with an IP address automatically while connecting to the network. In this recipe, we will learn how to locate some of the common DHCP problems.
When you have a DHCP server on your network, and PCs are not able to receive IP addresses automatically, just connect Wireshark with port mirror to the device that doesn't receive the address, connect and disconnect the device from the network, or simply use the ipconfig /release and ipconfig /renew commands. Now, we will have a look at what can go wrong.
Have a look at the DHCP procedure described in the How it works … section. Anything that is not going according to this procedure is wrong, so check for the following:
- Did the client send the
DHCP Discoverpacket? - If it did, the client works fine.
- If it didn't:
- Something is wrong with the client. Check if the client is configured with DHCP (obtain an IP address automatically as marked in the TCP/IP configuration window).
- It can be that the client is physically not connected to the network. It happens a lot with wireless communications (WiFi), where the client does not have connectivity to the network and therefore, does not send the
DHCP Discoverpacket since it doesn't have a network to send it over.
- The client sends
DHCP Discoverand receivesDHCP Offerfrom a single server. This is ok; continue watching the wire. - The client sends
DHCP Discoverand receivesDHCP Offerfrom two or more servers. This is a problem. You have more than one DHCP server on your LAN, and you might get different address allocations to clients on the LAN. Turn off one of the servers (at least the DHCP service on it). - You receive DHCP Discover and send DHCP Request; this is fine.
- If you immediately receive
DHCP Ackwith the IP parameters, everything is fine. - If you don't receive anything, and you send another
DHCP Request, it can be a slow or non-responsive server. Check it.
- If you immediately receive
- If you receive a DHCP Decline message, it is the server that has refused your request.
- It can be that the server does not have available addresses. In this case, extend your address range.
- It can be also that the server has allocated your previous IP address to someone else. This is a server configuration issue; so if you need this feature, configure the server to save IP addresses per clients.
DHCP is considered to be a simple protocol, but actually it is very complex. When you connect a client to the network, it will go through the following steps:
DHCP Discover: The client initializes a limited version of TCP/IP and broadcastsa request looking for a DHCP server. The request is sent from UDP port 68 to UDP port 67.DHCP Offer: DHCP servers listen on UDP port 67, and if a server receives the request, it answers with a DHCP offer, that is offering to provide the service of address assignment.DHCP Request: The client receives the DHCP offer and sends back a request to receive information. The request will be, for example, the IP address that we requested before (because we had it before), for our MAC address so that the server will recognize us as a prior client with a saved IP address and other parameters.DHCP Ack: Here the server sends the requested information, including the IP address, subnet mask, default gateway, DNS servers, and other parameters that are configured on the server.
In the next screenshot, we see a standard procedure of DHCP that works properly:
A very common problem is when you connect a device to your network, you receive an IP address and you don't have any idea where it came from. Usually, this is because someone has connected a DHCP server to your LAN without telling you. In most of the cases, it will be a small Internet router. This is very simple to find out:
- If you type
ipconfigand get an address that you don't know, it might be a problem. - Since the router we suspect is connected to the network, assign your IP address, subnet mask, and a default gateway. When you ping your default gateway, you actually ping the router, which is likely to be the troublemaker.
- Type
ARP –ato give you the troublemaker's MAC address. This will tell you two things:- Who is the vendor? When you know who is the vendor is (D-Link, Edimax, Netgear, and many others), you can simply go and look for it.
- By logging into the LAN switch, the MAC address will also tell you which port it is connected to. Go to your communications room and disconnect it.
- Of course, while listening to the port with Wireshark, you will see the vendor MAC address easily.