In this article I will setup a basic switching environment in GNS3 to verify that GNS3 works correctly with WireShark and virtualBox. This is a follow-up article to the “Installing and Configuring GNS3 article” that I wrote. I have two VMs that are running windows XP that will be used to test connectivity from end to end and R1 will serve as a DHCP server to distribute IP addresses. The diagram below details my current setup:

img1

Let’s go ahead and configure our Cisco Router as a DHCP server.

1. In order to configure our router as a DHCP server the following commands were used.

R1(config)#IP dhcp pool NAME

R1(dhcp-config)#Network 192.168.3.0 255.255.255.0

R1(dhcp-config)#Default-router 192.168.3.1

The commands above create a  DHCP pool, adds the network that we want to assign IP addresses from, and specifies the default gateway for this subnet.

Note: There are many other parameters that go into configuring a DHCP server but this will suffice for our test environment.

That should be it for the DHCP configuration. The next thing that you want to do is configure the fastethernet 0/0 interface which will connect to our switch.

R1(config)#Interface fastEthernet 0/0

R1(config-if)#No shutdown

R1(config-if)#ip address 192.168.3.1 255.255.255.0

The commands above will turn the interface on and assign an IP address.

2. What we want to do next is to capture traffic on both of our links so that we can see what actually happens. Right clicking on the link will give you the option to capture traffic:

img2

On the right hand side in the “captures” pane, you will be able to see the current links that you are capturing traffic from:

img3

3. I have gone ahead and started both of my VMs so that we can get some traffic flowing.

img4

At any point in time we can right-click on the link and start Wireshark to view the traffic flowing through it.

4. Let’s analyze some of the traffic patterns using Wireshark. On XP Pro 1 I see that it has received an IP address from the DHCP server which means that our configuration is working fine.

img5

In Wireshark we see the following information with regards to DHCP:

img6

We see a discover message followed by an offer, request, and an acknowledgement. This is the process that clients go through in order to obtain an IP address via DHCP. The mnemonic for the steps above is DORA(not the explorer :D) and it should help in memorizing the order of the steps.

The first message that we see which is number 8 is a DHCP Discover event. In this case we see a source address of 0.0.0.0 being sent to a destination address of 255.255.255.255. 255.255.255.255 is a broadcast address which means that every client in this subnet will receive this message. Let’s look at the information in more detail below to get a sense of what is going on.

img7

At the Data link layer we see a destination address of all Fs which is a broadcast MAC address. For the source MAC address we see our own address listed there so that the DHCP server knows who to reply to. The type field which is 0x0800 is hexadecimal for IP. The type field in a frame tells the data link layer to which service it should deliver the message to in the next layer which is the network layer(I should talk about OSI sometime if you are not familiar with it). IP is the most popular protocol at the network layer, although there are others such as IPX, IPv6, Appletalk, etc…

Below is a table of some of the more popular type fields:

0x0800 Internet Protocol version 4 (IPv4)
0x0806 Address Resolution Protocol (ARP)
0x0842 Wake-on-LAN
0x8035 Reverse Address Resolution Protocol
0x809B AppleTalk (Ethertalk)
0x80F3 AppleTalk Address Resolution Protocol (AARP)
0x8137 IPX
0x8138 IPX
0x86DD Internet Protocol Version 6 (IPv6)
0x8808 Ethernet flow control

You can find a full list here if you are interested:

http://en.wikipedia.org/wiki/EtherType>

At the network layer we see that it is an IP packet with a source address of 0.0.0.0 since we do not have an IP address yet and a destination address of 255.255.255.255 which is a broadcast address that stands for this network or the local network. The other important field that we see here is the protocol field which has a value of 17 for UDP. This field identifies the next level protocol at the next layer which is the transport layer. The transport layer supports multiple protocols with TCP and UDP being the two biggest by far. The TCP and UDP protocols are used by many applications  that require end to end communication services. TCP is a reliable data delivery protocol while UDP is not. Note that DHCP is communicating using UDP broadcast since the client and server are both in the same subnet. This would be different if the client is trying to renew its IP address in which case it will use UDP unicast or if the DHCP server was in a different subnet in which case it would have to relied on a DHCP helper or relay agent.

Below is a table of some of the more popular protocol fields:

1 ICMP Internet Control Message [RFC792]
2 IGMP Internet Group Management [RFC1112]
6 TCP Transmission Control [RFC793]
17 UDP User Datagram [RFC768]

You can find a full list here if you are interested:

http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml

Moving up to the session layer we see that we are using UDP and our source port is 68 with a destination port of 67. Port  67 and 68 are reserved ports for the following purposes:

67 UDP Bootstrap Protocol (BOOTP) Server; also used by Dynamic Host Configuration Protocol (DHCP) Official
68 UDP Bootstrap Protocol (BOOTP) Client; also used by Dynamic Host Configuration Protocol (DHCP) Official

You can find a full list here if you are interested:

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers>

In the DHCP world, port 67 is used for sending data to the server while port 68 is used for sending data to the client. In the application layer we see the following for DHCP:

img8

The type of this message is a boot request and some of the important options that I will highlight are 53 which indicates that it is a discover message, 61 which provides my MAC address as an identifier, 50 which allows the client to request an IP address (typically a client requests the last IP address it had on that interface), option 12 provides my hostname to the DHCP server.

The next messages are all similar in the first four layers (physical to transport) and I encourage you to look through them so that it makes sense to you. I will only go through the application layer information in detail while briefly describing the rest:

img9

At layer two we have the destination MAC address set to my physical  address with a source address of the Cisco fastethernet 0/0 interface. See below for this information so that you know that I am not lying:

img10

At layer 3 we have the DHCP server as the source IP address with a destination of my future IP address. At layer 4 we see that the ports have switched, this makes sense if you read my explanation above. At the application layer we have the client IP address which is filled with a value that is offered to me. We also see that my MAC address is listed here that it learned from the first message that we sent over. Option 53 specifies that this is an offer, option 54 gives us the IP address of the server that is making the offer, option 51 and 58 gives us the lease time and renewal time of the offer that we are getting. Option 1 gives us our subnet mask that it is offering so that we know which network we belong to and option 3 has the address of our default gateway in case we want to communicate with hosts on a separate network.

Now that we have gotten an offer the next step is to request the IP address from the offer that we got.

img11

At the data link layer we see that this is still a broadcast from my MAC address to everyone else. Similarly at layer 3 we have a broadcast as well. We see that this is using the UDP transport protocol with a source port of 68 and destination port of 67. At the application layer notice that the transaction ID field matches the value of the discover and offer messages. This is important as there might be multiple DHCP servers that are handing out IP addresses and this lets them know which DHCP server I am accepting the offer from so that they can put back the address that they offered to me back into the pool since it wasn’t use. Option 53 specifies that this is a DHCP request, 61 gives the server my MAC address as an identifier, Option 50 specifies the IP address that I am requesting, option 54 specifies the DHCP server IP address as an identifier, option 12 gives the DHCP server my hostname.

img12

The last message that finalizes the DHCP transactions is the acknowledgement. This message acknowledges the request sent by the client and tells the client to auto configure its network parameters. At the data link layer we see a source MAC address of our Cisco router to a destination MAC address of our client. At the network layer we see a source IP  address of the server to a destination of our future IP address. We see that the transport protocol is UDP using a source port of 67 to a destination port of 68. At the application layer we see that the transaction ID matches our previous transactions from the messages that we received before. We see that it has my IP address as well as MAC address. For the DHCP options we have 53 that specifies that this is an acknowledgement, 54 indicates the identifier or IP address of the server, options 51, 58, and 59 gives us our lease, renewal, and rebinding time values. Option 1 and 3 provides us with the values of our subnet mask as well as default gateway so that we can configure ourselves with those network options.

This concludes this article and I hope that you found it informative. In future articles I will write about routing protocols as well as look into some open source firewalls and how you can go about setting one up. That is it for now, thank you for reading this post and I hope to see you here next time.

 

Leave a Reply

Your email address will not be published. Required fields are marked *