linuxwifiwiresharkpacket-capturetshark

what is the correct tshark capture filter option for the DHCP frame?


I am trying to capture the DHCP frames for analysis using the following command in my mac book.

sudo tshark -i en0 -f "port 67 or port 68" -a duration:300 -w /tmp/dump.pcap

I use the following command to get all the fields of all protocols in the packet but it is not printing any value. Is the capture filter option for the DHCP frame is correct? Any help is appreciated?

sudo tshark -T text -r /tmp/dump.pcap -V

Solution

  • Answer

    Yes, your commands are OK. Maybe no DHCP packets arrived and therefore not captured. Try to force a DHCP activity by commands in second teminal window of the same device:

    sudo dhclient -r
    sudo dhclient
    

    Warning: Do not apply these commands if you are connected remotely. First command releases the IP address and your connection will be interrupted without a possibility to put second command and get address back remotely.

    Some details concerning data capture

    The thsark filters have the same syntax as Wireshark. Threre exist 2 (or 3) filter types:

    You can combine both types.

    Examples:

    tshark -i eth0 -n -Y "ip.addr==8.8.8.8"
    tshark -i eth0 -n -Y "ip.addr==8.8.8.8" -f "udp port 53"
    tshark -i eth0 -n -Y "ip.addr==8.8.8.8 and udp.port==53"
    

    All other options like -a, -b, -w, -s can be applied too.

    The tcpdump application is usefull too. It is available in most Linux systems even very small or special. It does not have a display filter option. Only capture filters can be applied. Other options are missing: -a, -b ...

    sudo tcpdump -i eth0 -w /tmp/dhcp.pcap "udp port 67 or udp port 68"