Wireshark-users: [Wireshark-users] Complex Capture Filter Problem
From: "Travis Love" <[email protected]>
Date: Thu, 13 Sep 2007 16:45:55 -0400
I'm trying to create a capture filter to help detect rogue DHCP servers with Wireshark.  So far, what I've come up with is a capture and a viewing filter, each of which does half the work I need it to.  The capture filter looks like:

(port 67 or port 68) and !(ether host  00:04:23:XX:XX:XX) and !(ether host  00:04:23:XX:XX:YY)

So it captures only DHCP packets that aren't to/from either of our DHCP servers.  I then have to apply:

frame[282:3] == 35:01:02 or frame[282:3] == 35:01:05 or frame[282:3] == 35:01:06

as a viewing filter in order to see only NAK, ACK, and DHCP OFFER packets.  Is there a way to put the viewing filter into the capture filter so my box's RAM doesn't fill up with packets I'm not interested in?

Any ideas would be appreciated.  Thanks in advance,

Travis Love
Hope College CIT