IP Addresses: Lost and Found (Part 2 of 2)

18.10.2013 Gilbert Liu
exigen_blog_20131017_header

In the first part of the series, we addressed the problem of not being able to find static IP addresses using an IP scanner.

What if a device is using an automatic IP assignment protocol, like DHCP or BOOTP?

The reality is that IP addresses for a large portion of devices aren’t statically assigned. They are assigned by protocols such as BOOTP (Bootstrap Protocol) or its successor – commonly known as DHCP (Dynamic Host Configuration Protocol).

The reason behind the use of these protocols lies in their ability to dynamically configure device IP addresses. BOOTP was initially intended to configure diskless workstations with limited boot capabilities. The increase in frequently relocated networked computers having full boot capabilities brought about the extension of BOOTP to DHCP.

Due to the similarity in the protocols, a basic understanding of both the DHCP and BOOTP protocols is recommended. This will help understand the basis of how an IP address is found when these protocols are used. Here are some excellent articles describing the similarities and operations of each:

However, IP scanners are still faced with the same problem when these protocols are used. They fail to work if the devices don’t respond to ICMP echoes (ping requests) or if the device is on a different subnet.

It is common for engineers to be faced with situations where only minimal information about the network and the devices are available. It’s then a waste of time to try an IP scanner just to find that it doesn’t work because of the various reasons listed above.  

Luckily, we still have our excellent tool – Wireshark.

Unlike most IP scanners, Wireshark is a much more advanced tool that is tailored towards low level packet inspection. This makes it a fit candidate to use for finding IP addresses, regardless of whether it has been assigned by DHCP, BOOTP or statically assigned.

Finding an IP address from a DHCP assignment

An IP address assignment by DHCP consists of the following process: DHCP Discover, DHCP Offer, DHCP Request and DHCP Acknowledge. During this process, the DHCP Offer message contains the IP address that the DHCP server assigns to be DHCP client device.

Take note however, because this DHCP Offer message isn’t always broadcasted to the entire network. A broadcast only takes place when the client device has no IP address (i.e. upon IP acquisition at start-up, but not upon DHCP lease renewal).

From inspection of the DHCP Offer packet in Wireshark, the IP address of the requesting device can be identified. This inspection process involves the following steps:

  1. Connect a computer with Wireshark installed onto the network

  2. Start a Wireshark capture

  3. Set the filter option to bootp.option.type==53

  4. Connect the target device with an unknown IP address to the network

    This filters the incoming capture packets to only show DHCP messages

  5. Connect the target device with an unknown IP address to the network

  6. Observe and find the corresponding DHCP Offer message (outlined in red)

  7. Expand the Bootstrap protocol section of the packet and observe the parameter Your (client) IP address: xxx.xxx.xxx.xxx.

    This is your device IP address as assigned by the DHCP server.

Finding an IP address from a BOOTP assignment

An IP address assignment consists of a BOOTP request from the device, and a corresponding BOOTP reply. The BOOTP reply contains the IP address that the BOOTP server assigns to the client device.

Again, by inspecting the Boot Reply packet in Wireshark, the assigned IP address of the device can be determined. Similar to the DHCP messages, we can capture this packet because it is a broadcast packet. Finding the IP address involves the following steps:

  1. Connect a computer with Wireshark installed onto the network

  2. Start a Wireshark capture

  3. Set the filter option to bootp

  4. This filters out all other protocols and only shows packets of the BOOTP protocol

  5. Connect the target device with an unknown IP address to the network

  6. Observe and find the corresponding BOOTP Reply message (outlined in red)

  7. Expand the Bootstrap protocol section of the packet and observe the parameter Your (client) IP address: xxx.xxx.xxx.xxx.

    This is your device IP address as assigned by the BOOTP server.

There are many uses for Wireshark, and finding IP addresses are just one of the countless many. Such a powerful tool obviously deserves to be part of every engineer’s toolkit.

Just like a plumber or an electrician, every engineer should have a complete toolkit available to quickly solve commonly encountered problems. Waste less time solving problems that already have available solutions, and spend more time creating real solutions.

__

More by Gilbert Liu

IP Addresses: Lost and Found (Part 1 of 2)

Reducing Risk of Customer Plant Upgrades

Virtualisation - an Engineer’s swiss army knife