Re: Sniffing a DHCP Boot

[Greg E Hersh <geh@world.std.com>]

On Wed, 10 Apr 1996, Evan Wetstone wrote:

> Bill Fox writes:
> > 
> > We are testing DHCP as served by Windows NT, and just to NT clients
> > right now.  My Network General Sniffer did not see DHCP, so I asked 
> > their support group if DHCP is decoded.  The answer was, "We don't
> > think so."
> > 
> > In the trace file, which is taken from the client end, 
> > I see BOOTP packets, then an ARP for the IP address of the client
> > workstation, from the client workstation.
> > 
> > Do you folks have any experience with this?
> 
> DHCP is supported by the Sniffer, it just gets called BootP due to the 
> same port numbers (67 and 68) being used.  If you look at the detail of
> the captured packets, you'll see that while it calls it a BootP packet,
> the decode also correctly identifes DHCPDiscover, DHCPOffer, etc.
> 
> -- 
> Evan Wetstone                                                evanw@dell.com
> 
> 	 	    The Network Works.  No Excuses.
> 

Last time I've talked to Network General (January) they told me they
did NOT have DHCP decoding and it was planned for this spring.

It is true, Sniffer decodes DHCP as BOOTP. Unfortunately - at least with
a sniffer software i was working - once sniffer reaches the 'user defined
fields', it no longer decodes correctly, so you have to do some manual
work. (I guess it just doesn't understand a 'length' field, so everything
gets slowly shifted)

If anyone was able to use Sniffer to COMPLETELY and CORRECTLY decode
DHCP packet, would you please let us know which particular sniffer
software release you've been using?

Thanks,

- Greg -