This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Capturing all traffic from one IP

-1

I would like to capture all traffic leaving and arriving to a specific on my netowrk. Unfortunately the "host IP" command does not work both ways. Only when I initiate traffic, so I know I am missing a step. Can you help me out?

asked 28 May '14, 10:56

itteche's gravatar image

itteche
20114
accept rate: 0%


2 Answers:

-1

If you are talking about a Capture filter, then the "host [ip address]" filter will capture all traffic to/from that specific address.

If you are talking about a display filter, then the "ip.addr==[ip address]" filter will display all traffic to/from the specified IP address.

answered 28 May '14, 12:03

Rooster_50's gravatar image

Rooster_50
23891218
accept rate: 15%

I've tried the host ip, did not work. I will try the next option to see if that works.

(29 May '14, 04:57) itteche

-1

Try "(vlan and ip host [ip address]) or (ip host [ip address])" without the quotes. If you're capturing two legs where one has a vlan tag, that will prevent it from matching that type of IP display filter.

Having said that, the plain 'ip host [address]' filter should be valid for two-way traffic to that one IP. Are you certain that you are capturing traffic in a place where you should be able to see both directions? If so, is this pure IP traffic over Ethernet we're talking about here?

answered 28 May '14, 18:52

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

edited 28 May '14, 20:48

What do you mean by in the place it should be?

(29 May '14, 05:09) itteche

@itteche

Your "answers" have been converted to comments as that's how this site works. Please read the FAQ for more information.

(29 May '14, 05:32) grahamb ♦

What I mean is, when you are running Wireshark you need to make sure you are running it on a system that is receiving the traffic you want to capture. Where are you runnning Wireshark as it relates to the traffic you are capturing in your network?

(29 May '14, 16:00) Quadratic