Wireshark-users: [Wireshark-users] Complex Capture Filter Problem
I'm trying to create a capture filter to help detect rogue DHCP servers with Wireshark. So far, what I've come up with is a capture and a viewing filter, each of which does half the work I need it to. The capture filter looks like:
(port 67 or port 68) and !(ether host 00:04:23:XX:XX:XX) and !(ether host 00:04:23:XX:XX:YY)
So it captures only DHCP packets that aren't to/from either of our DHCP servers. I then have to apply:
frame[282:3] == 35:01:02 or frame[282:3] == 35:01:05 or frame[282:3] == 35:01:06
as a viewing filter in order to see only NAK, ACK, and DHCP OFFER packets. Is there a way to put the viewing filter into the capture filter so my box's RAM doesn't fill up with packets I'm not interested in?
Any ideas would be appreciated. Thanks in advance,
Hope College CIT