ipconfig /all

When a DHCP client receives information from a DHCP server only basic information, like IP / subnet / gateway / dns /etc, is visible. In some situations clients also receive DHCP options to set specific settings or application configurations (for example with Microsoft Lync or RES Workspace Manager). Knowing what options are received by the clients helps you troubleshoot.

There are multiple road that lead to Rome, in this article I’ll show you three. For one of them I created a PowerShell script which you can run on any machine.

Three roads to Rome

Although there are probably more, here are three roads that lead to Rome (and with Rome I mean: reading the DHCP options received by the client).

  • Wireshark
  • DHCP test client
  • Windows registry

Wireshark

wiresharkWireshark gives you (by far) the most detailed information about the DHCP process and information received. Not only does it show you what information is received, it also shows you what packets are send / received over the network.

 

wireshark filter bootpAll you have to do is install Wireshark on your computer (or run the portable version), start a capture, set the filter to bootp and initiate a DHCP request.

 

DHCP test client

DHCP test clientAnother great tool to use is the DHCP test client. This sniffs the network until a DHCP Offer / DHCP Ack is detected on UDP port 68 and shows the received information.

The benefit of the DHCP test client is that you don’t have to install anything, just run the tool and initiate a DHCP request.

 

Windows registry

DhcpInterfaceOptionsThe downside of both Wireshark and the DHCP test tool is that you need to capture the packets from the network when they’re send. Luckily the received packets are stored in the Windows registry key DhcpInterfaceOptions.

Unfortunately the content of this key is not easy to read and not documented (?). So without a tool / script the content of this key is useless.

PowerShell script

Since the DhcpInterfaceOptions is always accessible (even when the client already received  the DHCP offer) I wanted to have the ability to read the content. So I wrote a PowerShell script that reads the registry key for each DHCP enabled NIC and shows the received DHCP options.

The script shows all Dhcp options and vendor specific Dhcp options (43).

ReadDhcpOptions

You can find the PowerShell script here:   ReadDhcpOptions

The archive contains three files

  • DhcpOptions.csv – Semicolon separated file containing all Dhcp Options (IANA) and their data type;
  • DhcpOptionsVS.csv – Semicolon separated file containing some vendor specific Dhcp Options;
  • ReadDhcpOptions.ps1 – The actual PowerShell script

PS: My PowerShell-force is not strong, yet I managed to show the required data

 

Reverse engineering

Since the content of the DhcpInterfaceOptions key is not documented (or maybe I’ve searched on the wrong location) I had to reverse engineer the content. Once you know how the data is stored it’s really easy 🙂

Each DHCP option the following structure is used:

  • The first byte contains the option code, followed by 7 zeroed bytes;
  • Next is a byte containing the length of the value, followed by 3 zeroed bytes;
  • Then a byte specifying if this is a vendor specific option yes (1) or no (0), followed by 3 zeroed bytes;
  • Four bytes are filled with data I can’t explain, but it always ends with 0x51.
  • Finally the value is stored (in Hex values) in a block size dividable by 4 (!)

 

Here’s an example of how a vendor specific option (DHCP option 43) with code 12 containing the data www.ingmarverheij.com is stored:

 

Data types

To present the data, as done with the PowerShell script, you must know the data type. Unfortunately this is not stored in the DhcpInterfaceOptions  key, so that’s the reason I added the CSV files. For now I included the following data type: ip / string / time / dhcpmsgtype.

If the data type is not specified in the CSV file  the data is displayed in Hex values (just like Wireshark, DHCP test client and the Windows registry).

If you receive a Dhcp option that’s displayed in Hex values you can change the CSV files or e-mail me a Wireshark capture of your DHCPOFFER.

 

 

.

16 Comments

  1. Good pro article! I’ve an issue with Nokia Lumia and Windows 8 option 55: both OS use the same!
    Do you know how to alter (registry key, for example) this option ?

    Many thanks
    Roberto

  2. This is an awesome powershell script!
    Ingmar – I’m having issues with this is I am connected to a VPN (Cisco to be specific) as it is only running on the “Gigabit Network Connection” Any Ideas?

    For those needing help running it for the first time and unfamiliar with powerscript. In command prompt launch “powershell.exe .\ReadDhcpOptions.ps1”
    Since this isn’t digitally signed you may have to change the powerscript setting to allow unsigned powerscripts.
    powershell.exe Set-ExecutionPolicy Unrestricted
    http://technet.microsoft.com/en-us/library/ee176961.aspx

    1. Hi Wyatt,

      Good tip on the ExecutionPolicy. It’s a parameter unknown by most people yet very powerfull.

      What issue are you having with the VPN? Do you want to query the VPN connection as well? I’m limiting the output to Ethernet adapters but can expand it to more if you want?

      Cheers,
      Ingmar

  3. Ingmar,

    I would like to query the VPN Connection as well. I tried doing it by changing the powerscript shell but was unable to get it working. Perhaps if you can have the powerscript query the list of adapters and you could choose an interface adapter under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

  4. dhcptest is now on github.
    https://github.com/CyberShadow/dhcptest

    whats neat about the tool, is you could use it to get unsupported scope options on windows- ie option12

    get you mac address via gwmi into $mac
    then

    $hostname = dhcptest-0.3.exe –mac $macaddress –request 12 –query –print-only –quiet

  5. woops hit send too quick.

    s/$mac/$macaddress

    also need to put path .\dhcptest-0.3.exe

  6. Thanks for this script, it works great.

    Above you stated it would be possible to expand the script to include VPN connections. I have an issue that needs that functionality. I am trying to pass option 252 for proxy PAC assignments. I am using Cisco AnyConnect VPN and code I have on the ASA states this is possible, but I haven’t been able to get it to function. I am unsure if the option is getting to the client and something else isn’t working correctly.

    I am very new to PowerShell and wouldn’t know where to start to try to add it myself.

    Any help would be appreciated.

    Ryan

    1. Thank you very much for the script. It is very helpful. There seems to be a small bug in the script though. Line 102 should read:
      $DhcpIsVendorSpecific = $DhcpVendorSpecificOptions[$intPosition]

  7. Great script, but unfortunately it does not read all options offered by DHCP, e.g.option 66/67 (PXE boot server/file) are not listed. I don’t think it’s related to the script though (as it cycles through all 256 options)

  8. Hi Ingmar, helpful powershell script you’ve provided here. Is there any way to see other DHCP info? For example, I’ve specified Option 42 (NTP) and Option 66 in my DHCP scope, but they aren’t showing up in the Powershell script results nor in the DHCP test client results.

  9. Thanks to author!!!
    Really usefull! The only article through the internet!

    Just about tail 0x51. It’s diffs from system to system.

  10. Great script, thanks!

    Minor error, the location of the exit statement inside of foreach ($objNACItem in $objWin32NAC) block will terminate after the first adapter. Moving the exit statement outside of that block allows the script to iterate over all of the qualifying adapters.

    1. And Option 3, Router, should be an ip type in the csv.
      This will only partially answer the issue, however, since RFC 4702 says it can have a series of IPs. The length should be a multiple of four. You would get the first router in the list, though.

      As the csv stands now, it outputs ASCII representations of the IP octets.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

en_USEnglish