Wireshark is a network analyzer which has a set of tools to test the network for vulnerabilities. Vulnerabilities found at initial stage saves websites, applications, and software from potential attacks. It is used in organizations ranging from small to large for testing out network stability, latency, bandwidth features etc. Due to its open source nature, documentation is easily available which makes it handy for beginners, moreover it is cross-platform so can be used on Windows, Mac, and Linux systems. Developers can modify the available source code as per their requirement.
DHCP (BOOTP) can be understood as configuration protocols used for downloading configuration information from a DHCP server or from a BOOTP server. DHCP stands for Dynamic host configuration protocol that provides IP addresses for communication, but only for a limited time period. It occurs automatically, for example a hub can automatically configure IP addresses as soon as it comes in contact with the internet. It works fine for mobile devices also. BOOTP stands for Bootstrap Protocol, which is used for assigning IP addresses and subnet masks manually and is not suitable for mobile devices.
DHCP Statistics in Wireshark:
It is a window in Wireshark which is used to analyze the data packets of DHCP and BOOTP protocols when they are trying to configure devices like hubs, switches, or routers. Each packet sent contains information like IP, address, subnet mask, duration in case of temporary Ip addresses. Data of DHCP and BOOTP is transferred over port 67 and port 68. It can be found under the Statistics tab in Wireshark, see the below image
After it clicks on DHCP (BOOTP) Statistics and a below window appears with captured data packets
Different information fields are given for the request and responses while configuring devices.
- ACK: This field show the acknowledged requests sent to server.
- Active Lease Query: These are the requests which are on lease for a limited time period and expires after timeout.
- Bulk Lease Query: It shows all the requests which are on lease, means IP address has been provided for certain time period in bulk.
- Decline : This field contains the number of declined requests.
- Discover : It is sent to discover the nearby configuration device, so to send request for IP address.
- Force Renew: It is used when a temporary IP address is about to express but the session is still active.
- Inform : It gives the information about success, failure, timeout time etc.
- Lease Active: It shows the active requests acknowledged by the server.
- Lease Query Done: It shows those queries which are completed.
- Lease Query Status: It shows the status of queries like done, unknown, unassigned etc.
- Lease Unassigned: All the unassigned queries are reflected in Lease Unassigned.
- Lease Unknown: All the queries which do not reach to the server are put in the unknown category.
- Lease Query: It lists all the queries for interacting with DHCP server.
- NAK: It means Negative Acknowledgement means queries which are not acknowledged.
- Offer: Offer is a response to the Discover query for providing IP addresses.
- Release: Once the session is no more needed, then temporary IP addresses are released.
- Request: It is used for making requests for temporary IP addresses.
- TLS: It is transport layer security which is used in encrypting data sent over internet.
All the information can be saved for later analysis.