Wireshark · Wireshark-users: [Wireshark-users] Complex Capture Filter Problem

Wireshark-users: [Wireshark-users] Complex Capture Filter Problem

From: "Travis Love" <travis.love@xxxxxxxx>

Date: Thu, 13 Sep 2007 16:45:55 -0400

I'm trying to create a capture filter to help detect rogue DHCP servers with Wireshark. So far, what I've come up with is a capture and a viewing filter, each of which does half the work I need it to. The capture filter looks like:

(port 67 or port 68) and !(ether host 00:04:23:XX:XX:XX) and !(ether host 00:04:23:XX:XX:YY)

So it captures only DHCP packets that aren't to/from either of our DHCP servers. I then have to apply:

frame[282:3] == 35:01:02 or frame[282:3] == 35:01:05 or frame[282:3] == 35:01:06

as a viewing filter in order to see only NAK, ACK, and DHCP OFFER packets. Is there a way to put the viewing filter into the capture filter so my box's RAM doesn't fill up with packets I'm not interested in?

Any ideas would be appreciated. Thanks in advance,

Travis Love
Hope College CIT

Follow-Ups:
- Re: [Wireshark-users] Complex Capture Filter Problem
  - From: Ed . Staszko
- Re: [Wireshark-users] Complex Capture Filter Problem
  - From: Guy Harris

Prev by Date: Re: [Wireshark-users] WSDL / XML support?
Next by Date: Re: [Wireshark-users] Complex Capture Filter Problem
Previous by thread: Re: [Wireshark-users] Portable WinPCap
Next by thread: Re: [Wireshark-users] Complex Capture Filter Problem
Index(es):
- Date
- Thread