{"id":5284,"date":"2013-07-12T12:34:47","date_gmt":"2013-07-12T10:34:47","guid":{"rendered":"https:\/\/ingmarverheij.com\/?p=5284"},"modified":"2013-11-30T12:42:14","modified_gmt":"2013-11-30T11:42:14","slug":"read-dhcp-options-received-by-the-client","status":"publish","type":"post","link":"https:\/\/ingmarverheij.com\/en\/read-dhcp-options-received-by-the-client\/","title":{"rendered":"Read DHCP options received by the client"},"content":{"rendered":"<p><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/07\/ipconfig-all.png\"><img loading=\"lazy\" decoding=\"async\" style=\"margin: 0px 0px 0px 5px; border: 0px currentColor; padding-top: 0px; padding-right: 0px; padding-left: 0px; float: right; display: inline; background-image: none;\" title=\"ipconfig \/all\" alt=\"ipconfig \/all\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/07\/ipconfig-all_thumb.png\" width=\"154\" height=\"89\" align=\"right\" border=\"0\" \/><\/a><\/p>\n<p>When a DHCP client receives information from a DHCP server only basic information, like IP \/ subnet \/ gateway \/ dns \/etc, is visible. In some situations clients also receive DHCP options to set specific settings or application configurations (for example with Microsoft Lync or RES Workspace Manager). Knowing what options are received by the clients helps you troubleshoot.<\/p>\n<p>There are multiple road that lead to Rome, in this article I\u2019ll show you three. For one of them I created a PowerShell script which you can run on any machine.<\/p>\n<p><!--more--><\/p>\n<h1>Three roads to Rome<\/h1>\n<p>Although there are probably more, here are three roads that lead to Rome (and with Rome I mean: reading the DHCP options received by the client).<\/p>\n<ul>\n<li>Wireshark<\/li>\n<li>DHCP test client<\/li>\n<li>Windows registry<\/li>\n<\/ul>\n<h6><span style=\"font-weight: bold;\"> <br clear=\"all\" \/>Wireshark<\/span><\/h6>\n<p><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/07\/wireshark.png\"><img loading=\"lazy\" decoding=\"async\" style=\"margin: 0px 0px 0px 5px; border: 0px currentColor; padding-top: 0px; padding-right: 0px; padding-left: 0px; float: right; display: inline; background-image: none;\" title=\"wireshark\" alt=\"wireshark\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/07\/wireshark_thumb.png\" width=\"154\" height=\"97\" align=\"right\" border=\"0\" \/><\/a><a href=\"https:\/\/www.wireshark.org\/\">Wireshark<\/a> gives you (by far) the most detailed information about the DHCP process and information received. Not only does it show you what information is received, it also shows you what packets are send \/ received over the network.<\/p>\n<p>&nbsp;<\/p>\n<p><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/07\/wireshark-filter-bootp.png\"><img loading=\"lazy\" decoding=\"async\" style=\"margin: 0px 0px 0px 5px; border: 0px currentColor; padding-top: 0px; padding-right: 0px; padding-left: 0px; float: right; display: inline; background-image: none;\" title=\"wireshark filter bootp\" alt=\"wireshark filter bootp\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/07\/wireshark-filter-bootp_thumb.png\" width=\"154\" height=\"39\" align=\"right\" border=\"0\" \/><\/a>All you have to do is install Wireshark on your computer (or run the portable version), start a capture, set the filter to <span style=\"font-family: Courier New;\"><a href=\"https:\/\/www.wireshark.org\/docs\/dfref\/b\/bootp.html\">bootp<\/a>\u00a0<\/span>and initiate a DHCP request.<\/p>\n<p>&nbsp;<\/p>\n<h6><span style=\"font-weight: bold;\">DHCP test client<\/span><\/h6>\n<p><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/07\/DHCP-test-client.png\"><img loading=\"lazy\" decoding=\"async\" style=\"margin: 0px 0px 0px 5px; border: 0px currentColor; padding-top: 0px; padding-right: 0px; padding-left: 0px; float: right; display: inline; background-image: none;\" title=\"DHCP test client\" alt=\"DHCP test client\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/07\/DHCP-test-client_thumb.png\" width=\"154\" height=\"95\" align=\"right\" border=\"0\" \/><\/a>Another great tool to use is the <a href=\"https:\/\/blog.thecybershadow.net\/2013\/01\/10\/dhcp-test-client\/\">DHCP test client<\/a>. This sniffs the network until a DHCP Offer \/ DHCP Ack is detected on UDP port 68 and shows the received information.<\/p>\n<p>The benefit of the DHCP test client is that you don\u2019t have to install anything, just run the tool and initiate a DHCP request.<\/p>\n<p>&nbsp;<\/p>\n<h6><span style=\"font-weight: bold;\">Windows registry<\/span><\/h6>\n<p><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/07\/DhcpInterfaceOptions.png\"><img loading=\"lazy\" decoding=\"async\" style=\"margin: 0px 0px 0px 5px; border: 0px currentColor; padding-top: 0px; padding-right: 0px; padding-left: 0px; float: right; display: inline; background-image: none;\" title=\"DhcpInterfaceOptions\" alt=\"DhcpInterfaceOptions\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/07\/DhcpInterfaceOptions_thumb.png\" width=\"154\" height=\"135\" align=\"right\" border=\"0\" \/><\/a>The downside of both Wireshark and the DHCP test tool is that you need to capture the packets from the network when they\u2019re send. Luckily the received packets are stored in the Windows registry key <em>DhcpInterfaceOptions<\/em>.<\/p>\n<p>Unfortunately the content of this key is not easy to read and not documented (?). So without a tool \/ script the content of this key is useless.<\/p>\n<h1><\/h1>\n<h1 id=\"download\">PowerShell script<\/h1>\n<p>Since the <em>DhcpInterfaceOptions<\/em> is always accessible (even when the client already received\u00a0 the DHCP offer) I wanted to have the ability to read the content. So I wrote a PowerShell script that reads the registry key for each DHCP enabled NIC and shows the received DHCP options.<\/p>\n<p>The script shows all Dhcp options and vendor specific Dhcp options (43).<\/p>\n<p><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/07\/ReadDhcpOptions.png\"><img loading=\"lazy\" decoding=\"async\" style=\"margin: 0px auto; border: 0px currentColor; padding-top: 0px; padding-right: 0px; padding-left: 0px; float: none; display: block; background-image: none;\" title=\"ReadDhcpOptions\" alt=\"ReadDhcpOptions\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/07\/ReadDhcpOptions_thumb.png\" width=\"354\" height=\"126\" border=\"0\" \/><\/a><\/p>\n<p>You can find the PowerShell script here: \u00a0<a  data-e-disable-page-transition=\"true\" class=\"download-link\" title=\"Version 1.1\" href=\"https:\/\/ingmarverheij.com\/en\/download\/5839\/?tmstv=1776445738\" rel=\"nofollow\" id=\"download-link-5839\" data-redirect=\"false\" >\n\tReadDhcpOptions<\/a>\n<\/p>\n<p>The archive contains three files<\/p>\n<ul>\n<li><strong>DhcpOptions.csv<\/strong> \u2013 Semicolon separated file containing all <a href=\"https:\/\/www.iana.org\/assignments\/bootp-dhcp-parameters\/bootp-dhcp-parameters.xhtml\">Dhcp Options (IANA)<\/a> and their data type;<\/li>\n<li><strong>DhcpOptionsVS.csv<\/strong> \u2013 Semicolon separated file containing <em>some <\/em>vendor specific Dhcp Options;<\/li>\n<li><strong>ReadDhcpOptions.ps1<\/strong> \u2013 The actual PowerShell script<\/li>\n<\/ul>\n<p><em>PS: My PowerShell-force is not strong, yet I managed to show the required data<\/em><\/p>\n<p>&nbsp;<\/p>\n<h6><span style=\"font-weight: bold;\">Reverse engineering<\/span><\/h6>\n<p>Since the content of the <em>DhcpInterfaceOptions <\/em>key is not documented (or maybe I\u2019ve searched on the wrong location) I had to reverse engineer the content. Once you know how the data is stored it\u2019s really easy \ud83d\ude42<\/p>\n<p>Each DHCP option the following structure is used:<\/p>\n<ul>\n<li>The <strong>first <\/strong>byte contains the option code, followed by 7 <strong>zeroed <\/strong>bytes;<\/li>\n<li>Next is a byte containing the <strong>length <\/strong>of the value, followed by 3 zeroed bytes;<\/li>\n<li>Then a byte specifying if this is a vendor specific option yes (1) or no (0), followed by 3 zeroed bytes;<\/li>\n<li>Four bytes are filled with data I can\u2019t explain, but it always ends with 0x51.<\/li>\n<li>Finally the value is stored (in Hex values) in a block size dividable by 4 (!)<\/li>\n<\/ul>\n<p><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/07\/DhcpInterfaceOptions-diagram.png\"><img loading=\"lazy\" decoding=\"async\" style=\"margin: 0px auto; border: 0px currentColor; padding-top: 0px; padding-right: 0px; padding-left: 0px; float: none; display: block; background-image: none;\" title=\"\" alt=\"\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/07\/DhcpInterfaceOptions-diagram_thumb.png\" width=\"600\" height=\"52\" border=\"0\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>Here\u2019s an example of how a vendor specific option (DHCP option 43) with code 12 containing the data <em>www.ingmarverheij.com<\/em><em> <\/em>is stored:<\/p>\n<p><a href=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/07\/DhcpInterfaceOptions-diagram-example.png\"><img loading=\"lazy\" decoding=\"async\" style=\"margin: 0px auto; border: 0px currentColor; padding-top: 0px; padding-right: 0px; padding-left: 0px; float: none; display: block; background-image: none;\" title=\"\" alt=\"\" src=\"https:\/\/ingmarverheij.com\/wp-content\/uploads\/2013\/07\/DhcpInterfaceOptions-diagram-example_thumb.png\" width=\"600\" height=\"162\" border=\"0\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<h6><span style=\"font-weight: bold;\">Data types<\/span><\/h6>\n<p>To present the data, as done with the PowerShell script, you must know the data type. Unfortunately this is not stored in the <em>DhcpInterfaceOptions\u00a0 <\/em>key, so that\u2019s the reason I added the CSV files. For now I included the following data type: ip \/ string \/ time \/ dhcpmsgtype.<\/p>\n<p>If the data type is not specified in the CSV file\u00a0 the data is displayed in Hex values (just like Wireshark, DHCP test client and the Windows registry).<\/p>\n<p>If you receive a Dhcp option that\u2019s displayed in Hex values you can change the CSV files or e-mail me a Wireshark capture of your DHCPOFFER.<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>.<\/p>","protected":false},"excerpt":{"rendered":"<p>When a DHCP client receives information from a DHCP server only basic information, like IP \/ subnet \/ gateway \/ dns \/etc, is visible. In some situations clients also receive DHCP options to set specific settings or application configurations (for example with Microsoft Lync or RES Workspace Manager). Knowing what options are received by the [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[152],"tags":[355,576,672],"class_list":["post-5284","post","type-post","status-publish","format-standard","hentry","category-powershell","tag-dhcp","tag-options","tag-powershell"],"_links":{"self":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts\/5284","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/comments?post=5284"}],"version-history":[{"count":10,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts\/5284\/revisions"}],"predecessor-version":[{"id":5870,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/posts\/5284\/revisions\/5870"}],"wp:attachment":[{"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/media?parent=5284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/categories?post=5284"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ingmarverheij.com\/en\/wp-json\/wp\/v2\/tags?post=5284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}