How to filter by IP address in Wireshark?
Filtering IP Address in Wireshark:
(1)single IP filtering:
ip.addr==X.X.X.X
ip.src==X.X.X.X
ip.dst==X.X.X.X
(2)Multiple IP filtering based on logical conditions:
OR condition:
(ip.src==192.168.2.25)||(ip.dst==192.168.2.25)
AND condition:
(ip.src==192.168.2.25) && (ip.dst==74.125.236.16)
If you only care about that particular machine's traffic, use a capture filter instead, which you can set under Capture -> Options
.
host 192.168.1.101
Wireshark will only capture packet sent to or received by 192.168.1.101
. This has the benefit of requiring less processing, which lowers the chances of important packets being dropped (missed).
You can also limit the filter to only part of the ip address.
E.G. To filter 123.*.*.*
you can use ip.addr == 123.0.0.0/8
. Similar effects can be achieved with /16
and /24
.
See WireShark man pages (filters) and look for Classless InterDomain Routing (CIDR) notation.
... the number after the slash represents the number of bits used to represent the network.
Match destination: ip.dst == x.x.x.x
Match source: ip.src == x.x.x.x
Match either: ip.addr == x.x.x.x