tcpdump filter for BOOTP/DHCP packets?

tcpdump filter for BOOTP/DHCP packets?

Post by Thomas Gagn » Thu, 13 Mar 2003 01:31:16



The tcpdump man pages don't specify bootp/or dhcp as a
protocol you can filter for, but I'm sure there's a way.
I'm curious because there sometimes appears on my cable
modem suspicious DHCP servers handing out class C addresses
in the 192.168.0.0 range.  I was just wanting to log them.

I'm able to do it in ethereal (filter = bootp.dhcp) but that
doesn't work in tcpdump, and I have to run it remotely so
tcpdump is prefered.

--
.tom
remove dashes in email for replies
http://isectd.sourceforge.net

 
 
 

tcpdump filter for BOOTP/DHCP packets?

Post by Tauno Voipi » Thu, 13 Mar 2003 02:01:09



Quote:> The tcpdump man pages don't specify bootp/or dhcp as a
> protocol you can filter for, but I'm sure there's a way.
> I'm curious because there sometimes appears on my cable
> modem suspicious DHCP servers handing out class C addresses
> in the 192.168.0.0 range.  I was just wanting to log them.

> I'm able to do it in ethereal (filter = bootp.dhcp) but that
> doesn't work in tcpdump, and I have to run it remotely so
> tcpdump is prefered.

Set tcpdump collect traffic for UDP ports 67 and 68.

HTH

Tauno Voipio


 
 
 

tcpdump filter for BOOTP/DHCP packets?

Post by Bo Lin » Thu, 13 Mar 2003 18:05:31



> The tcpdump man pages don't specify bootp/or dhcp as a
> protocol you can filter for, but I'm sure there's a way.
> I'm curious because there sometimes appears on my cable
> modem suspicious DHCP servers handing out class C addresses
> in the 192.168.0.0 range.  I was just wanting to log them.

> I'm able to do it in ethereal (filter = bootp.dhcp) but that
> doesn't work in tcpdump, and I have to run it remotely so
> tcpdump is prefered.

Like the other poster said, just filter on ports 67 and 68, UDP.

When you filter on specific names in Ethereal, all you really do is filter
on specific ports. E.g. http = port 80, ssh = port 22 etc.

If you look at your /etc/services, there's a list of all the normal services
and which port they run on.

Bo Lind
Thrane & Thrane

 
 
 

tcpdump filter for BOOTP/DHCP packets?

Post by Allen Kistle » Tue, 18 Mar 2003 05:23:03



> The tcpdump man pages don't specify bootp/or dhcp as a protocol you can
> filter for, but I'm sure there's a way. I'm curious because there
> sometimes appears on my cable modem suspicious DHCP servers handing out
> class C addresses in the 192.168.0.0 range.  I was just wanting to log
> them.

> I'm able to do it in ethereal (filter = bootp.dhcp) but that doesn't
> work in tcpdump, and I have to run it remotely so tcpdump is prefered.

Just in case you're really just asking about the syntax...

tcpdump -ni eth0 -s 1500 -w dhcp.pcap 'udp and port 67 and port 68'

-n means don't waste time on DNS lookups.
-i means use the specified interface.
-s means capture up to however many bytes.
    tcpdump usually just gets the headers.
-w means write the packets to the specified file
    Skip the -w <file> if you just want to see it scroll by on the
    screen.

Change eth0 to whatever is right for you.
The stuff in '' is the filter using Berkeley Packet Filter (BPF) syntax.
'port 67 and port 68' is the same as saying
'(src port 67 or src port 68) and (dst port 67 or dst port 68)'
which is the same as saying
'((src port 67 and dst port 68) or (src port 68 and dst port 67))'
i.e., get it all going both ways

Kill tcpdump (to close the log file); transfer the log to your favorite
machine; read the log with ethereal.