How to filter by IP address in Wireshark?

Wireshark

Wireshark Problem Overview

I tried dst==192.168.1.101 but only get :

Neither "dst" nor "192.168.1.101" are field or protocol names.

The following display filter isn't a valid display filter:
dst==192.168.1.101

Wireshark Solutions

Solution 1 - Wireshark

Match destination: ip.dst == x.x.x.x

Match source: ip.src == x.x.x.x

Match either: ip.addr == x.x.x.x

Solution 2 - Wireshark

Filtering IP Address in Wireshark:

(1)single IP filtering:

ip.addr==X.X.X.X

ip.src==X.X.X.X

ip.dst==X.X.X.X

(2)Multiple IP filtering based on logical conditions:

OR condition:

(ip.src==192.168.2.25)||(ip.dst==192.168.2.25)

AND condition:

(ip.src==192.168.2.25) && (ip.dst==74.125.236.16)

Solution 3 - Wireshark

You can also limit the filter to only part of the ip address.

E.G. To filter 123.*.*.* you can use ip.addr == 123.0.0.0/8. Similar effects can be achieved with /16 and /24.

See WireShark man pages (filters) and look for Classless InterDomain Routing (CIDR) notation.

> ... the number after the slash represents the number of bits used to represent the network.

Solution 4 - Wireshark

If you only care about that particular machine's traffic, use a capture filter instead, which you can set under Capture -> Options.

host 192.168.1.101

Wireshark will only capture packet sent to or received by 192.168.1.101. This has the benefit of requiring less processing, which lowers the chances of important packets being dropped (missed).

Solution 5 - Wireshark

Try

ip.dst == 172.16.3.255

Solution 6 - Wireshark

Actually for some reason wireshark uses two different kind of filter syntax one on display filter and other on capture filter. Display filter is only useful to find certain traffic just for display purpose only. its like you are interested in all trafic but for now you just want to see specific.

but if you are interested only in certian traffic and does not care about other at all then you use the capture filter.

The Syntax for display filter is (as mentioned earlier)

ip.addr = x.x.x.x or ip.src = x.x.x.x or ip.dst = x.x.x.x

but above syntax won't work in capture filters, following are the filters

host x.x.x.x

see more example on wireshark wiki page

Solution 7 - Wireshark

in our use we have to capture with host x.x.x.x. or (vlan and host x.x.x.x)

anything less will not capture? I am not sure why but that is the way it works!

Solution 8 - Wireshark

Other answers already cover how to filter by an address, but if you would like to exclude an address use

ip.addr < 192.168.0.11

Categories
Recommended Wireshark Solutions

Previous Solution:

NSDate get year/month/day

Objective CNsdateNsdatecomponentsNscalendar

Next Solution:

Remove all special characters with RegExp

JavascriptRegexSpecial Characters

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionAlanView Question on Stackoverflow
Solution 1 - WiresharkThe Archetypal PaulView Answer on Stackoverflow
Solution 2 - WiresharkRajeev DasView Answer on Stackoverflow
Solution 3 - WiresharkOldCurmudgeonView Answer on Stackoverflow
Solution 4 - WiresharkDeanView Answer on Stackoverflow
Solution 5 - WiresharkKevin TigheView Answer on Stackoverflow
Solution 6 - WiresharkMubasharView Answer on Stackoverflow
Solution 7 - WiresharkJerryView Answer on Stackoverflow
Solution 8 - Wiresharktw0zView Answer on Stackoverflow