This is a static archive of our old Q&A Site. Please post any new questions and answers at

Filter Capturing


Hello i have some problems with filter capturing. is it possible to capture only one ip address for example, i want to capture ip or, how can i do with it ?

asked 26 Jul '17, 23:57

Samann's gravatar image

accept rate: 0%

One Answer:


Capture filter syntax differs from display filter syntax, so to capture only, you need to use host

However, there is no capture syntax for fqdn (like for many reasons:

  • translation of fqdn to IP address is done using DNS, and there is no feedback from the dissection of the DNS response to the capture filter, leaving aside that the DNS responses are locally cached

  • a single fqdn may translate to several IP addresses (for load sharing and reliability purposes)

  • several fqdns may be hosted on a single IP address so you cannot determine which flow belongs to which fqdn by just the IP address.

answered 27 Jul '17, 00:11

sindy's gravatar image

accept rate: 24%