Wireshark-users: Re: [Wireshark-users] Complex Capture Filter Problem

Date: Fri, 14 Sep 2007 10:25:34 -0500



You might try using tshark with this as your one-line batch file.
It will display the amount of packets that have been captured meeting all
criteria and create a file, c:\dhcp.cap, that will have the information you
need.
It takes up very little memory

c:\progra~1\wireshark\tshark -t a -w c:\dhcp.cap -f "(port 67 or port 68)
and !(ether host  00:04:23:XX:XX:XX) and !(ether host  00:04:23:XX:XX:YY)"
-R "frame[282:3] == 35:01:02
or frame[282:3] == 35:01:05 or frame[282:3] == 35:01:06"

Ed Staszko
Network  Analyst
Mutual of Omaha
402-351-4272

"The Pleistocene Digital Hierarchy will revolutionize communication."  -
Frederick Flintstone


                                                                           
             "Travis Love"                                                 
             <travis.love@hope                                             
             .edu>                                                      To 
             Sent by:                  wireshark-users@xxxxxxxxxxxxx       
             wireshark-users-b                                          cc 
             ounces@wireshark.                                             
             org                                                   Subject 
                                       [Wireshark-users] Complex Capture   
                                       Filter Problem                      
             09/13/2007 03:45                                              
             PM                                                            
                                                                           
                                                                           
             Please respond to                                             
                "Community                                                 
             support list for                                              
                Wireshark"                                                 
             <wireshark-users@                                             
              wireshark.org>                                               
                                                                           
                                                                           




I'm trying to create a capture filter to help detect rogue DHCP servers
with Wireshark.  So far, what I've come up with is a capture and a viewing
filter, each of which does half the work I need it to.  The capture filter
looks like:

(port 67 or port 68) and !(ether host  00:04:23:XX:XX:XX) and !(ether host
00:04:23:XX:XX:YY)

So it captures only DHCP packets that aren't to/from either of our DHCP
servers.  I then have to apply:

frame[282:3] == 35:01:02 or frame[282:3] == 35:01:05 or frame[282:3] ==
35:01:06

as a viewing filter in order to see only NAK, ACK, and DHCP OFFER packets.
Is there a way to put the viewing filter into the capture filter so my
box's RAM doesn't fill up with packets I'm not interested in?

Any ideas would be appreciated.  Thanks in advance,

Travis Love
Hope College CIT_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users



This e-mail and any files transmitted with it are confidential and are solely for the use of the addressee.  It may contain material that is legally privileged, proprietary or subject to copyright belonging to Mutual of Omaha Insurance Company and its affiliates, and it may be subject to protection under federal or state law.  If you are not the intended recipient, you are notified that any use of this material is strictly prohibited.  If you received this transmission in error, please contact the sender immediately by replying to this e-mail and delete the material from your system.  Mutual of Omaha Insurance Company may archive e-mails, which may be accessed by authorized persons and may be produced to other parties, including public authorities, in compliance with applicable laws.