How would a PCAP filter look like to capture all DHCP related traffic?
I settled with the following PCAP filter:
( udp and ( port 67 or port 68 ) )
or arp
or ( icmp and (icmp[icmptype] == 8 or icmp[icmptype] == 0 ) )
or ( udp and ( port 546 or port 547 ) )
or ( icmp6 and ( ip6[40] == 135 or ip6[40] == 136 ) )
or dst net ff02:0:0:0:0:1:ff00::/104
or dst host ff01::1
or dst host ff02::1
or dst host ff02::1:2
or ( icmp6 and ( ip6[40] == 128 or ip6[40] == 129 ) )
The first three lines catch DHCPv4, ARP (duplicate address detection) and PING.
The fourth line catches DHCPv6, lines five to eight catch duplicate address detection for IPv6. Line nine catches multicast for DHCPv6 agents and the last line is for PING6.
Of course this will catch many packets not related to the DHCP traffic. These have to be sorted out afterwards.
Maybe the PING and PING6 traffic isn't needed at all.
The filter port 67 or port 68
will get you the DHCP conversation itself, that is correct.
The filter arp
should capture arp traffic on the subnet. This is broadcast in nature, so can be caught from any port on the subnet.
And the ICMP requests you've already outlined.
I'd say you have the comprehensive list.
You want to filter for all BOOTP traffic since DHCP uses BOOTP as is comms protocol. See this:
https://wiki.wireshark.org/DHCP