RFC1531 "Dynamic Host Configuration Protocol" October 1993, obsoleted by RFC1541
RFC1541 "Dynamic Host Configuration Protocol" October 1993, obsoleted by RFC2131
RFC2131 "Dynamic Host Configuration Protocol" March 1997, updated by RFC3396
RFC3396 "Encoding Long Options in the Dynamic Host Configuration Protocol (DHCPv4)" November 2002
The DHCP dissector is fully functional.
Most versions of Microsoft Windows improperly encode the secs field on the wire as little-endian. Wireshark will attempt to detect this and display the message "little endian bug?" in the packet detail. In the example below, the secs value 0x0e00 (3584, or nearly an hour) was sent by a Windows XP client, even though the client hadn't been retrying that long. Interpreting the value as 0x000e (14) matches the time elapsed since the first request (packet #3).
Decode Option 85 as String: Novell Servers option 85 can be configured as a string instead of address.
Custom BootP/DHCP Options (Excl. suboptions): Define custom interpretation of options
As DHCP is implemented as an option of BOOTP, you can only filter on BOOTP messages. A complete list of BOOTP display filter fields can be found in the display filter reference
Show only the BOOTP based traffic:
As DHCP is implemented as an option of BOOTP, you can only filter on BOOTP messages. You cannot directly filter BOOTP protocols while capturing if they are going to or from arbitrary ports. However, BOOTP traffic normally goes to or from ports 67 and 68, and traffic to and from those ports is normally BOOTP traffic, so you can filter on those port numbers.
Capture only traffic to and from ports 67 and 68:
port 67 or port 68
On many systems, you can say "port bootps" rather than "port 67" and "port bootpc" rather than "port 68".
- in the RFC search you could search for DHCP, as there are a lot of DHCP options spread over several RFC's
What about little endian bug ? There is some errors in "seconds elasped" field, but nothing about an issue about this. (I've got this error on DHCPInform request, the request is loaded twice, with 3 seconds intervals and one of the two request contains this error) - CortoGueguen
If you think there's a bug in Wireshark's DHCP dissector, either file the bug on the Wireshark Bugzilla or send mail to the wireshark-users mailing list; this is not the place for reporting Wireshark bugs. -Guy Harris
Imported from https://wiki.wireshark.org/DHCP on 2020-08-11 23:13:29 UTC