Simple Network Sniffing using Wireshark, TCPdump and more about DHCPv4 IP Leasing
Dynamic Host Configuration Protocol (DHCP) is a network management protocol used to automate the process of configuring devices on IP networks, thus allowing them to use network services such as DNS, NTP, and any communication protocol based on UDP or TCP. A DHCP server dynamically assigns an IP address and other network configuration parameters to each device on a network so they can communicate with other IP networks.
The typical dynamic DHCP lease cycle is as follows:
- A client acquires an IP address lease through the allocation process of requesting one from the DHCP server.
- If a client already has an IP address from an existing lease, it needs to refresh its IP address when it reboots after being shut down and contact the DHCP server to have an IP address reallocated.
- Once a lease is active, the client is bound to the lease and to the address.
- Once the lease has expired, a client contacts the server that initially granted the lease to renew it so it can keep using its IP address.
- If a client is moving to a different network, its dynamic IP address is terminated, and it requests a new IP address from the DHCP server of the new network.
We can start by executing the following command to get our current network config
ipconfig /all
We can execute the following commands while having Wireshark capture our network traffic
ipconfig /release -- that command will release and end the lease of our current IP from the DHCP server
ipconfig /renew -- the /renew will proceed to start the handshake all over again to get a brand new ip (sometimes you'll still get the same ip)
TCPdump - Network logging
tcpdump is a packet analyzer that is launched from the command line. It can be used to analyze network traffic by intercepting and displaying packets that are being created or received by the computer it's running on.
Using tcpdump to capture global host traffic
Using tcpdump to capture ICMP host traffic
we are also running a ping to google.com
Using tcpdump to dump traffic in a file
The "-w" option lets you write the output of tcpdump to a file which you can save for further analysis.
Using tcpdump to read pcap traffic from a file
The "-r" option lets you read the output of a file. All you have to do is use the "-r" option with tcpdump command and specify the path of the file you want to read.
sudo tcpdump -r OUTPUT
