Very Computer

I'm able to do it in ethereal (filter = bootp.dhcp) but that
doesn't work in tcpdump, and I have to run it remotely so
tcpdump is prefered.

--
.tom
remove dashes in email for replies
http://isectd.sourceforge.net

Quote:> The tcpdump man pages don't specify bootp/or dhcp as a
> protocol you can filter for, but I'm sure there's a way.
> I'm curious because there sometimes appears on my cable
> modem suspicious DHCP servers handing out class C addresses
> in the 192.168.0.0 range.  I was just wanting to log them.

> I'm able to do it in ethereal (filter = bootp.dhcp) but that
> doesn't work in tcpdump, and I have to run it remotely so
> tcpdump is prefered.

HTH

Tauno Voipio

When you filter on specific names in Ethereal, all you really do is filter
on specific ports. E.g. http = port 80, ssh = port 22 etc.

If you look at your /etc/services, there's a list of all the normal services
and which port they run on.

Bo Lind
Thrane & Thrane

tcpdump -ni eth0 -s 1500 -w dhcp.pcap 'udp and port 67 and port 68'

-n means don't waste time on DNS lookups.
-i means use the specified interface.
-s means capture up to however many bytes.
    tcpdump usually just gets the headers.
-w means write the packets to the specified file
    Skip the -w <file> if you just want to see it scroll by on the
    screen.

Change eth0 to whatever is right for you.
The stuff in '' is the filter using Berkeley Packet Filter (BPF) syntax.
'port 67 and port 68' is the same as saying
'(src port 67 or src port 68) and (dst port 67 or dst port 68)'
which is the same as saying
'((src port 67 and dst port 68) or (src port 68 and dst port 67))'
i.e., get it all going both ways

Kill tcpdump (to close the log file); transfer the log to your favorite
machine; read the log with ethereal.