3

There are a lot of "BOOTP/DHCP, Request" in tcpdump and I would like to filter it out.

It's easy to filter arp out.

tcpdump -nni eth0 not arp

What about BOOTP/DHCP, Request?

I've tried the following but it doesn't work

$ sudo tcpdump -nni eth0 not bootp
tcpdump: can't parse filter expression: syntax error

$ sudo tcpdump -nni eth0 not dhcp tcpdump: can't parse filter expression: syntax error

$ sudo tcpdump -nni eth0 not dhcpd tcpdump: can't parse filter expression: syntax error

What is the right tcpdump for this?

Wolf
  • 1,631

1 Answers1

4

TL;DR

In tcpdump, the "nickname" for the port of the protocol "BOOTP/DHCP" is bootps. For instance, to filter for only DHCP packets:

sudo tcpdump -n -i eth0 port bootps

Or to exclude them:

sudo tcpdump -n -i eth0 not port bootps

Details

As a tip, to get the "nickname" for a given port/protocol, check the file /etc/services:

$ cat /etc/services | grep bootp
bootps      67/udp
bootpc      68/udp

Note that bootps is used for the server port, and bootpc for the client port.

Although technically speaking one may think we must use both (e.g. tcpdump -n -i eth0 port bootps or bootpc), the fact is that every DHCP packet with use the port 67 at source or destination (some packets will have src port 67 and dst port 68, while others src port 68 and dst port 67). So just filtering by port bootps usually works.