Wireshark Filters – PPPoE, DHCP & VLAN ID

Using Filters

Wireshark comes standard with some very good filters. Filtering the displayed packets allows you to focus on relevant information located within the capture.

In this post, I’m going to show you how to filter out DHCP exchanges, PPPoE exchanges and VLAN’s.

Setting the Filter

Click on the filter field to enter the filter options manually, or press the Expression button to start the Wireshark filter expression box. When you are unfamiliar with which protocols you want to filter on, the Expression window allows you to choose each dissector and how the filter is applied (equals, contains, matches, less than, greater than).


Filtering on a VLAN tag is really quite simple using Wireshark’s built in dissector.

In the filter field, type in:

vlan.id == <put your vlan id here>

Press return to start the filtering process. Wireshark will then go through each packet in the capture file and display only those packets that match the criteria.


Filtering for DHCP packets is pretty easy in Wireshark also.

In the filter field, type in:


Press return to start the filtering process.


PPPoE is a little trickier to decode the entire process, as there are several steps in the process from PADI to IPCP negotitation.

In the filter field, type in:

pppoed or lcp or ipcp or pap or chap

Press return to start the filtering process.

This filter has several components that allow you to capture the entire PPPoE process from beginning to end.
The first part of the filter, pppoed, filters out the PADI, PADO, PADR & PADS exchange. The next step, lcp,  in the process is to negotiate the MTU size, magic number and authentication protocol.

After the lcp negotiation is complete, the user is authenticated via PAP or CHAP. If you have a username or password issue in the modem or BRAS, this is where you will see the negotiation fail.

Once the user is authenticated, we can finally start the IP address negotiation. The ipcp filter will show you the IP address negotiation.

Now that the user is up and authenticated, you will see LCP Echoes between the modem and BRAS. Settings in the modem and BRAS will determine the frequency and size of the echo messages.

Keep in mind that the LCP echo process uses a single ended state machine. What this means is that each end of the link, the modem and the BRAS, keep track of their LCP echoes independently of each other. Whenever either end loses enough consecutive echoes (configurable on the BRAS), it will tear the link down using a PADT. This is a major difference between DHCP leases and PPPoE sessions, either end can tear down the connection. Once a DHCP server issues a lease, that lease is bound until timeout or a DHCP release message is sent.


About kwplat1

World renowned data networking professional affectionately known as The Tick

Posted on October 23, 2012, in Tools, Troubleshooting and tagged , , . Bookmark the permalink. 1 Comment.

  1. We’re a bunch of volunteers and starting a new scheme in our community. Your site offered us with useful information to work on. You’ve performed
    a formidable activity and our entire community
    can be thankful to you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: