You might try using tshark with this as your one-line batch file.
It will display the amount of packets that have been captured meeting all
criteria and create a file, c:\dhcp.cap, that will have the information you
need.
It takes up very little memory
c:\progra~1\wireshark\tshark -t a -w c:\dhcp.cap -f "(port 67 or port 68)
and !(ether host 00:04:23:XX:XX:XX) and !(ether host 00:04:23:XX:XX:YY)"
-R "frame[282:3] == 35:01:02
or frame[282:3] == 35:01:05 or frame[282:3] == 35:01:06"
Ed Staszko
Network Analyst
Mutual of Omaha
402-351-4272
"The Pleistocene Digital Hierarchy will revolutionize communication." -
Frederick Flintstone
"Travis Love"
<[EMAIL PROTECTED]
.edu> To
Sent by: wireshark-users@wireshark.org
wireshark-users-b cc
[EMAIL PROTECTED]
org Subject
[Wireshark-users] Complex Capture
Filter Problem
09/13/2007 03:45
PM
Please respond to
"Community
support list for
Wireshark"
<wireshark-users@
wireshark.org>
I'm trying to create a capture filter to help detect rogue DHCP servers
with Wireshark. So far, what I've come up with is a capture and a viewing
filter, each of which does half the work I need it to. The capture filter
looks like:
(port 67 or port 68) and !(ether host 00:04:23:XX:XX:XX) and !(ether host
00:04:23:XX:XX:YY)
So it captures only DHCP packets that aren't to/from either of our DHCP
servers. I then have to apply:
frame[282:3] == 35:01:02 or frame[282:3] == 35:01:05 or frame[282:3] ==
35:01:06
as a viewing filter in order to see only NAK, ACK, and DHCP OFFER packets.
Is there a way to put the viewing filter into the capture filter so my
box's RAM doesn't fill up with packets I'm not interested in?
Any ideas would be appreciated. Thanks in advance,
Travis Love
Hope College CIT_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
This e-mail and any files transmitted with it are confidential and are solely
for the use of the addressee. It may contain material that is legally
privileged, proprietary or subject to copyright belonging to Mutual of Omaha
Insurance Company and its affiliates, and it may be subject to protection under
federal or state law. If you are not the intended recipient, you are notified
that any use of this material is strictly prohibited. If you received this
transmission in error, please contact the sender immediately by replying to
this e-mail and delete the material from your system. Mutual of Omaha
Insurance Company may archive e-mails, which may be accessed by authorized
persons and may be produced to other parties, including public authorities, in
compliance with applicable laws.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
