Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2020-01-29 02:12:13 +0000

Guy Harris gravatar image

Yes, it's possible - that's what "capture filters" are for; see the Wireshark User's Guide (look for "capture filters" in several places).

The syntax for capture filters is defined in the pcap-filter man page.

The filters to test for a single IP address are simple:

  • If you only want to capture packets from a given IP address, such as 192.16.135.134, and aren't interested in packets to that address, the filter would be src host 192.16.135.134 or just src 192.16.135.134.
  • If you only want to capture packets to a given IP address, such as 192.16.135.134, and aren't interested in packets from that address, the filter would be dst host 192.16.135.134 or just dst 192.16.135.134.
  • If you want to capture packets from or to a given IP address, such as 192.16.135.134, the filter would be host 192.16.135.134.

(Remember, if you want to capture all traffic involving that one IP address, capturing packets from that address won't work - that won't show traffic to that address.)