Wireshark-users: Re: [Wireshark-users] Complex Capture Filter Problem
Date: Fri, 14 Sep 2007 10:25:34 -0500
You might try using tshark with this as your one-line batch file.
It will display the amount of packets that have been captured meeting all
criteria and create a file, c:\dhcp.cap, that will have the information you
need.
It takes up very little memory
c:\progra~1\wireshark\tshark -t a -w c:\dhcp.cap -f "(port 67 or port 68)
and !(ether host 00:04:23:XX:XX:XX) and !(ether host 00:04:23:XX:XX:YY)"
-R "frame[282:3] == 35:01:02
or frame[282:3] == 35:01:05 or frame[282:3] == 35:01:06"
Ed Staszko
Network Analyst
Mutual of Omaha
402-351-4272
"The Pleistocene Digital Hierarchy will revolutionize communication." -
Frederick Flintstone
"Travis Love"
<travis.love@hope
.edu> To
Sent by: wireshark-users@xxxxxxxxxxxxx
wireshark-users-b cc
ounces@wireshark.
org Subject
[Wireshark-users] Complex Capture
Filter Problem
09/13/2007 03:45
PM
Please respond to
"Community
support list for
Wireshark"
<wireshark-users@
wireshark.org>
I'm trying to create a capture filter to help detect rogue DHCP servers
with Wireshark. So far, what I've come up with is a capture and a viewing
filter, each of which does half the work I need it to. The capture filter
looks like:
(port 67 or port 68) and !(ether host 00:04:23:XX:XX:XX) and !(ether host
00:04:23:XX:XX:YY)
So it captures only DHCP packets that aren't to/from either of our DHCP
servers. I then have to apply:
frame[282:3] == 35:01:02 or frame[282:3] == 35:01:05 or frame[282:3] ==
35:01:06
as a viewing filter in order to see only NAK, ACK, and DHCP OFFER packets.
Is there a way to put the viewing filter into the capture filter so my
box's RAM doesn't fill up with packets I'm not interested in?
Any ideas would be appreciated. Thanks in advance,
Travis Love
Hope College CIT_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
This e-mail and any files transmitted with it are confidential and are solely for the use of the addressee. It may contain material that is legally privileged, proprietary or subject to copyright belonging to Mutual of Omaha Insurance Company and its affiliates, and it may be subject to protection under federal or state law. If you are not the intended recipient, you are notified that any use of this material is strictly prohibited. If you received this transmission in error, please contact the sender immediately by replying to this e-mail and delete the material from your system. Mutual of Omaha Insurance Company may archive e-mails, which may be accessed by authorized persons and may be produced to other parties, including public authorities, in compliance with applicable laws.
- References:
- [Wireshark-users] Complex Capture Filter Problem
- From: Travis Love
- [Wireshark-users] Complex Capture Filter Problem
- Prev by Date: [Wireshark-users] Complex Capture Filter Problem
- Next by Date: Re: [Wireshark-users] Complex Capture Filter Problem
- Previous by thread: [Wireshark-users] Complex Capture Filter Problem
- Next by thread: Re: [Wireshark-users] Complex Capture Filter Problem
- Index(es):