This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to display delta times for one DHCP transaction ID and graph many?

0

or how to sort DHCP transaction ID's in a manner that you can see the delta between first 'discover' and the last 'ack'? alt text

So far I've tried to make an extra column for bootp.id and sort | filter out transaction ID's that match. Now as much as this is possible for a few packets as seen in the example above, i'd like to be able to graph all valid question | response pairs so i can see some DHCP server response time trends? I'd appreciate any idea's! Thanks!

asked 10 Sep '15, 01:22

Marc's gravatar image

Marc
147101316
accept rate: 27%

Don't tell me it's too difficult to be done ;-)

(10 Sep '15, 06:41) Marc

One Answer:

0

You can try the following:

View > Time Display Format > Time since previously displayed packet

and as a display filter

(bootp.id == 0x55d87b83) && ((bootp.option.dhcp == 1) || (bootp.option.dhcp == 5))

In regards to your second question, I don't have a packet capture to test it, but I would export the relevant columns as csv and use Excel to graph the trend.

answered 10 Sep '15, 07:25

Roland's gravatar image

Roland
7642415
accept rate: 13%

Cheers Roland, but that does the trick for only one DHCP Discover| ACK pair, if instead i would filter the trace for just ((bootp.option.dhcp == 1) || (bootp.option.dhcp == 5)) i would get all DHCP discovers and DHCP ACKS and with it i have created a column "Transaction ID" ... Now consider the following, 'when is my cycle complete if i get ACKS from more then one server, i.e. more answers on the same transaction ID?' This happens when tracing packets on the exit of an DHCP relay switch, we see more than 1 outgoing request and more than 1 answer: alt text

(10 Sep '15, 23:48) Marc

So basically i have two things to solve: one being time measurement, when is that DHCP cycle finished? and two how to match up the first packet and the last from oe transaction iD , without me (without a human looking at the data)?

(10 Sep '15, 23:51) Marc

Maybe you could provide us a trace in a public accessible place.

(11 Sep '15, 00:04) Christian_R
1

I tailored the answer to your screenshot, but the main point was, if you only filter for discover and ack you will reduce the amount of displayed packets. With DHCP relay everything changes. We have to look for another identifier, since the transaction id is the same. To match the packets without human interaction you will have to write a script.

(11 Sep '15, 02:37) Roland

Basically saying that the 'unique identifier' is a set of values combined, like (client MAC adres + Transaction ID + Discover + Offer + etc) to get answer response pairs to match ..

(11 Sep '15, 05:09) Marc