This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

i don’t want to capture same IP packet 2 times

I only want to capture the same ip adress packet one time but I want to always capture from the same ip

how could i do this?

packets capturing

asked 11 Jun '16, 11:04

allou
6●1●1●2
accept rate: 0%

how could i do this?

I don't know. I don't understand your question at all. Can you try to rephrase? If English is not your native language, maybe post both: English and your native language and we can use google translate. Maybe that would be clearer?

(12 Jun '16, 05:52) Bob Jones

Or you may want to give an example (a sample capture or a list of source and destination IP address pairs) of what you capture and which of the captured packets you would like to exclude.

(12 Jun '16, 06:32) sindy

Ok for example I have an ip where I capture the trafic from and it's 192.168.84.132

I want to capture everything on the trafic BUT i don't to get the same ip 2 times. Would it be possible to group every trafic going/coming from an ip?

J'aimerai seulement être capable de regrouper le trafic d'un ip pour que ce qui découle sur wireshark soit plus clair. Je vois trop de trafic et ce n'est pas assez claire j'ai de la difficulté à trier les adresses ip entrantes et sortantes... merci.

(12 Jun '16, 12:40) allou

2 Answers:

Perhaps Wireshark is not the best tool for this. Another option that could work, more inline with what you are asking, could be

http://www.ntop.org/products/traffic-analysis/ntop/

This tracks flows of data between hosts, and might be more like what you need. Wireshark is like a surgeon's scalpel: very precise, but not the right tool every time. Other tools are better for aggregating and presenting data flows, but no tool is better at packet-level analysis (this is all a matter of opinion - others may have contrasting views).

Other technologies like this are sFlow and netflow. Here is a webpage with a bunch of Linux-based bandwidth tools that might present the data in a way you need:

http://dynacont.net/documentation/linux/network_monitoring/

answered 12 Jun '16, 15:18

Bob Jones
1.0k●2●5●15
accept rate: 21%

You cannot stop capturing packets to/from an IP address after the first packet to/from that address has been captured (or, more generically, Wireshark cannot actively modify the capture filter during capture).

But you can use Statistics -> Conversations to view aggregated data at different layers depending on which tab you choose. So if you choose IPv4 or IPv6 in particular, you'll get a list of all (IP address A, IP address B) pairs for which at least one packet (in either direction, A->B or B->A) is present in the capture, along with the number of packets and number of bytes in each direction. And you can use this view during a running capture, so you can see the conversation list grow in real time.

answered 12 Jun '16, 13:01

sindy
6.0k●4●8●51
accept rate: 24%