This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to capture the information just for one IP ADDRESS? (T-SHARK)

0

Dears

I need to capture just the traffic from one ip address in a network (in/out)

I use this command in linux : tshark -i 3 -f "host x.x.x.x" -w test.pcap

I capture all the traffic when i used that command without the -f "host x.x.x.x"

Could you help me?

Thanks in advance.

BR

asked 16 May '13, 11:21

pdrorp's gravatar image

pdrorp
11113
accept rate: 0%

edited 16 May '13, 11:23

One Answer:

1

As tshark -i 3 -f "host x.x.x.x" -w test.pcap is indeed the right syntax under normal circumstances, I assume this command is not working for you. As you are saying that with the filter you do see all traffic (including traffic to/from host x.x.x.x), there must be some form of encapsulation in your traffic.

Most likely your packets are vlan tagged, could you try the filter "vlan and host x.x.x.x"? If this does not work, could you capture all packets and then look in Wireshark at all the layers before the IP layer and tell us which protocols are listed before IP?

answered 16 May '13, 11:34

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%