On Tue, May 15, 2007 at 09:51:20AM -0700, Guy Harris wrote:
> Stefan Puiu wrote:
>
> > Is it possible (with this wireshark version) to specify a filter along the
> > lines of "all packets that carry option x with value y"?
> > As far as I can tell, all I can currently specify is "one packet that
> > has one option type x and one option with value y", but not the same.
>
> Unfortunately, not in general - the BOOTP/DHCP dissector doesn't have
> separate named fields for the values of all options it knows about.
Sounds like something to add as feature-request on bugzilla?
> > Example filters I would need:
> >
> > - all DHCPDISCOVER packets that carry option 55 (parameter request list)
> > with a certain value in the respective option (e.g. 1,3,58,59 being the
> > sequence of values)
>
> Unfortunately, there isn't a named field for the value of option 55, so
> you can't filter on that.
If you can live with the fact that the following filter does not only
show you the wanted fields, but also a little noise, the following
filter might reduce the amount of frames you need to look at:
bootp.option.type == 53 && bootp.option.value == 01 && bootp.option.type == 55 && bootp.option.value == 01:03:3a:3b
> > - all DHCPOFFER/DHCPACK packets without option 3
>
> Similarly, there isn't a named field for the value of option 53, so you
> can't filter on the DHCP message type.
Same type of filter here:
bootp.option.type == 53 && (bootp.option.value == 02 || bootp.option.value == 05) && !bootp.option.type == 3
> This should probably be fixed.
I agree :)
Cheers,
Sake