1

Can i Use two bpf filter in pyshark. for e.g,

pyshark.LiveCapture(interface = 'wlo2', bpf_filter = 'arp and dhcp')

is it possible or is there any way to use 2 filter simultaneously?

roXx
  • 69
  • 9

1 Answers1

1

You have to combine the BPF filters yourself with and or or. There can be only one BPF filter active for a capture.

In your example the filter would match packets which are ARP and DHCP but this is not a combination that can exist. ARP is a link-layer protocol in Ethernet while DHCP is built on IPv4/IPv6 and UDP.

To match either ARP or DHCP, just do arp or dhcp. To combine more elaborate filters, use parentheses for grouping, such as (arp and ether host 01:02:03:04:05:06) or (dhcp and host 192.168.0.1).

I have found it easier to use BPF filters (fast) for rough pre-selection of packets on the kernel level, then an additional display filter for slower but more flexible final filtering.

vaizki
  • 1,678
  • 1
  • 9
  • 12
  • It will clear my query, check this https://stackoverflow.com/questions/70333690/how-to-use-two-bpf-filter-simultaneously-in-pyshark @vaizki – roXx Dec 13 '21 at 11:12