What’s the capture filter for a DHCP option?


What's the capture filter equivalent to the display filter "(bootp.option.type == 53)" for DHCP?

The order of option 53 in the frame, and with that the position, is unknown. As capture filters don't have any protocol intelligence, you can't define a capture filter for a certain DHCP option.

The best thing you can do: Capture all DHCP/BOOTP frames and later use a display filter in Wireshark or tshark to filter only those frames with option 53.

Wireshark display filter

bootp.option.type == 53

Alternatively, you can use tshark with a display filter while you are capturing. Downside: you can't write a capture file (-w not supported with display filters). But you can print whatever fields you may need.

tshark -ni eth0 -Y "bootp.option.type == 53" -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e bootp.option.type -e bootp.ip.client -e xxxx

Replace xxxx with whatever bootp protocol field you may need.


Thank you,Kurt. If I just want to filter all the DHCP/bootp frames, then what's the appropriate capture filter?

udp port 68 or port 67

should work.

