Search code examples
linuxwifiwiresharkpacket-capturetshark

what is the correct tshark capture filter option for the DHCP frame?


I am trying to capture the DHCP frames for analysis using the following command in my mac book.

sudo tshark -i en0 -f "port 67 or port 68" -a duration:300 -w /tmp/dump.pcap

I use the following command to get all the fields of all protocols in the packet but it is not printing any value. Is the capture filter option for the DHCP frame is correct? Any help is appreciated?

sudo tshark -T text -r /tmp/dump.pcap -V

Solution

  • Answer

    Yes, your commands are OK. Maybe no DHCP packets arrived and therefore not captured. Try to force a DHCP activity by commands in second teminal window of the same device:

    sudo dhclient -r
    sudo dhclient
    

    Warning: Do not apply these commands if you are connected remotely. First command releases the IP address and your connection will be interrupted without a possibility to put second command and get address back remotely.

    Some details concerning data capture

    The thsark filters have the same syntax as Wireshark. Threre exist 2 (or 3) filter types:

    • capture filter, -f tshark option: It selects which packets will be captured and which not. This is useful e.g. for getting lower capture file size.
    • display filter, -Y tshark option: It selects which packets will be displayed from all captured ones.

    You can combine both types.

    Examples:

    tshark -i eth0 -n -Y "ip.addr==8.8.8.8"
    tshark -i eth0 -n -Y "ip.addr==8.8.8.8" -f "udp port 53"
    tshark -i eth0 -n -Y "ip.addr==8.8.8.8 and udp.port==53"
    
    • All packets are captured, but only the 8.8.8.8 IP address packets are displayed.
    • Only the DNS packets are captured, and only the 8.8.8.8 IP address packets from captured are displayed.
    • All packets are captured, but only the 8.8.8.8 IP address packets having UDP port 53 (i.e. DNS) are displayed. Compare different syntax of the port filtering between the display and the capture filters in line above.

    All other options like -a, -b, -w, -s can be applied too.

    The tcpdump application is usefull too. It is available in most Linux systems even very small or special. It does not have a display filter option. Only capture filters can be applied. Other options are missing: -a, -b ...

    sudo tcpdump -i eth0 -w /tmp/dhcp.pcap "udp port 67 or udp port 68"