I would like to capture all traffic leaving and arriving to a specific on my netowrk. Unfortunately the "host IP" command does not work both ways. Only when I initiate traffic, so I know I am missing a step. Can you help me out? asked 28 May '14, 10:56  itteche |
2 Answers:
If you are talking about a Capture filter, then the "host [ip address]" filter will capture all traffic to/from that specific address. If you are talking about a display filter, then the "ip.addr==[ip address]" filter will display all traffic to/from the specified IP address. answered 28 May '14, 12:03  Rooster_50 |
Try "(vlan and ip host [ip address]) or (ip host [ip address])" without the quotes. If you're capturing two legs where one has a vlan tag, that will prevent it from matching that type of IP display filter. Having said that, the plain 'ip host [address]' filter should be valid for two-way traffic to that one IP. Are you certain that you are capturing traffic in a place where you should be able to see both directions? If so, is this pure IP traffic over Ethernet we're talking about here? answered 28 May '14, 18:52  Quadratic edited 28 May '14, 20:48 What do you mean by in the place it should be? (29 May '14, 05:09) itteche @itteche Your "answers" have been converted to comments as that's how this site works. Please read the FAQ for more information. (29 May '14, 05:32) grahamb ♦ What I mean is, when you are running Wireshark you need to make sure you are running it on a system that is receiving the traffic you want to capture. Where are you runnning Wireshark as it relates to the traffic you are capturing in your network? (29 May '14, 16:00) Quadratic |
I've tried the host ip, did not work. I will try the next option to see if that works.