This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What’s the capture filter for a DHCP option?

0

What's the capture filter equivalent to the display filter "(bootp.option.type == 53)" for DHCP?

asked 10 Nov '13, 18:25

metamatrix's gravatar image

metamatrix
56161619
accept rate: 100%

edited 11 Nov '13, 07:52

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

One Answer:

1

The order of option 53 in the frame, and with that the position, is unknown. As capture filters don't have any protocol intelligence, you can't define a capture filter for a certain DHCP option.

The best thing you can do: Capture all DHCP/BOOTP frames and later use a display filter in Wireshark or tshark to filter only those frames with option 53.

Wireshark display filter

bootp.option.type == 53

Alternatively, you can use tshark with a display filter while you are capturing. Downside: you can't write a capture file (-w not supported with display filters). But you can print whatever fields you may need.

tshark -ni eth0 -Y "bootp.option.type == 53" -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e bootp.option.type -e bootp.ip.client -e xxxx

Replace xxxx with whatever bootp protocol field you may need.

http://www.wireshark.org/docs/dfref/b/bootp.html

Regards
Kurt

answered 11 Nov '13, 07:55

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thank you,Kurt. If I just want to filter all the DHCP/bootp frames, then what's the appropriate capture filter?

(11 Nov '13, 16:39) metamatrix

udp port 68 or port 67

should work.

(12 Nov '13, 03:53) Kurt Knochner ♦