Hello Gerald,
>>> Gerald Combs <gerald@xxxxxxxxxxxxx> 11/29/07 10:43 AM >>>
> Should we change the instances of "bootp" in the BOOTP/DHCP dissector to
> "dhcp"? This isn't the first time this has confused someone.
When assisting co-workers with network problems the issue
of having to use "bootp" to find the "dhcp" packets is often the
first display filter problem they encounter! (The second one is
that they have to enter "bootp" in lower case.) ;-)
Should we change instances of "bootp" to "dhcp"? I personally
don't think so but I _DO_ understand the desire for the change.
As Japp pointed out "It's an extension to BOOTP".
I believe (but haven't confirmed) that it's simply the presence
of bootp option #53 that elevates the frame from a lowly old
bootp payload to a dhcp payload.
To filter specifically for "dhcp" packets from other types of
"bootp" packets I sometimes use a display filter of
"bootp.option.type==53".
But BOOTP in it's original form is not dead. I'm sure others (like
me) have older (perhaps misconfigured) devices that still spew
simple bootp requests onto their networks. To filter for these
from the legitimate dhcp traffic I use the display filter of
"(bootp && !(bootp.option.type==53))".
Perhaps this is one of those cases where a "hidden" display
filter "dhcp" ==> "bootp.option.type==53" is warranted.
But I'm skeptical of the "hidden" filter names for the many
reasons discussed in the past.
Something I've seen discussed somewhere (perhaps on the
wireshark-dev list) was the notion of display filter "macros".
The "macro" could be used by the user to augment the filter
rules with new (preferred) names for complex filters pieces.
That way instead of cutting and pasting snippets of complex
filters, one could reference them via their simple "macro"
name.
I'm sure others have better arguments and ideas (both for
and against changing "bootp" to "dhcp").
I hope you find this useful.
Jim Young