How to Filter by IP in Wireshark

The ability to filter capture data in Wireshark is important. Unless you’re using a capture filter, Wireshark captures all traffic on the interface you selected when you opened the application. This amounts to a lot of data that would be impractical to sort through without a filter.

Fortunately, filters are part of the core functionality of Wireshark and the filter options are numerous. One of the most common, and important, filters to use and know is the IP address filter.

With Wireshark we can filter by IP in several ways. We can filter to show only packets to a specific destination IP, from a specific source IP, and even to and from an entire subnet. It’s also possible to filter out packets to and from IPs and subnets.

Beyond that, you can use IP filters as both capture filters (only capture packets based on the filter) and display filters (filter the display of captured packets).

Related: Wireshark User Interface (GUI) Overview

Filtering Specific IP in Wireshark

Use the following display filter to show all packets that contain the specific IP in either or both the source and destination columns:

ip.addr == 192.168.2.11

Screenshot of Wireshark showing use of a display filter to filter by IP address in either source or destination..

This expression translates to “pass all traffic with a source IPv4 address of 192.168.2.11 or a destination IPv4 address of 192.168.2.11.”

As you can see the packets displayed in the Packet List Pane all contain 192.168.2.11 in either the source or the destination column.

We can even do this inverse of this and filter out the specific IP

Filtering Out (Excluding) Specific IP in Wireshark

Use the following display filter to show all packets that do not contain the specific IP in either the source or destination columns:

!(ip.addr == 192.168.2.11)

This expression translates to “pass all traffic except for traffic with a source IPv4 address of 192.168.2.11 or a destination IPv4 address of 192.168.2.11.”

Screenshot of Wireshark showing use of a display filter to filter by excluded IP address.

Note the “!” in the filter expression. You might remember this from mathematics as a fancy way of illustrating “is not” or “not equal to.”

As you can see we now see only the packets in the Packet List Pane that do not include 192.168.2.11.

But what if we wanted to see only packets that originated from a specific source IP?

Filtering Specific Source IP in Wireshark

Use the following display filter to show all packets that contain the specified IP in the source column:

ip.src == 192.168.2.11

This expression translates to “pass all traffic with a source IPv4 address of 192.168.2.11.”

Note the src in the expression which replaced the addr from the first expression I showed you.

Screenshot of Wireshark showing use of a display filter to filter by IP address in source column.

You’ll now see that the Packet List Pane is only showing packets that have 192.168.2.11 in the source column.

Filtering out (excluding) a specific source IP is very similar.

Filtering Out (Excluding) Specific Source IP in Wireshark

Use the following filter to show all packets that do not contain the specified IP in the source column:

!(ip.src == 192.168.2.11)

This expression translates to “pass all traffic except for traffic with a source IPv4 address of 192.168.2.11”

Screenshot of Wireshark showing use of a display filter to filter by IP address exclusion in source column.

You’ll notice there are no longer any packets in the Packet List Pane that contain 192.168.2.11 in the source column.

Filtering Specific Destination IP in Wireshark

Use the following display filter to show all packets that contain the specified IP in the destination column:

ip.dst == 192.168.2.11

Note the dst in the expression which has replaced the src from the previous filter example.

This expression translates to “pass all traffic with a destination IPv4 address of 192.168.2.11.”

Screenshot of Wireshark showing use of a display filter to filter by IP address in destination column.

As you can see, we now only see packets in the Packet List Pane that contain 192.168.2.11 in the destination column.

Filtering Out (Excluding) Specific Destination IP in Wireshark

Use the following display filter to show all packets that do not contain the specified IP in the destination column:

!(ip.dst == 192.168.2.11)

This expression translates to “pass all traffic except for traffic with a destination IPv4 address of 192.168.2.11.”

Screenshot of Wireshark showing use of a display filter to filter by IP address exclusion in destination column.

As expected, the only packets now listed in the Packet List Pane are the ones that do not have 192.168.2.11 in the destination column.

Now that we have a firm grasp of filtering on specific IP addresses in Wireshark, how then do we filter for an entire subnet?

Well that’s pretty simple and you’ve probably already guessed it by now.

Filter Specific IP Subnet in Wireshark

Use the following display filter to show all packets that contain an IP address within a specific subnet:

ip.addr == 192.168.2.0/23

This expression translates to “pass all traffic with a source IPv4 address within the 192.168.2.0/23 subnet or a destination IPv4 address within the 192.168.2.0/23 subnet.

Screenshot of Wireshark showing use of a display filter to filter by IP subnet in CIDR format in both the source and destination columns.

Now we’re left with all packets containing an address between 192.168.2.1 and 192.168.3.254 in either the source or destination columns.

Note that this expression uses CIDR notation. For help check out our handy CIDR notation cheat sheet.

At this point I don’t feel the need to show how to filter for a subnet in either the source or destination only or to show how to filter for everything excluding a specific subnet. If you’ve followed along to this point you already know how to do that using the above examples and substituting the IP address for the subnet in CIDR notation.

How to Filter by IP in Wireshark Using a Capture Filter

Up to this point we’ve only been talking about Display Filters, which are the filters applied post capturing packets.

I’d like to take a moment to talk about Capture Filters as well. Capture filters are filters set before you start a packet capture so that Wireshark only records packets pertaining to specific parameters.

Capture Filter vs Display Filter

When possible, I always recommend using a Display Filter. This way you have all the data and you can slice and dice it however you want to find what you’re looking for. When you use a Capture Filter you only get part of the data and hopefully it’s the part you want because you cannot change the Capture Filter during the Capture (and obviously changing it after won’t help).

Capture Filters may be prudent when you’re working with a lot of data transmission, such as when you’re watching a SPAN port on a heavily used network and you don’t want to save a giant capture file.

Capture Filters are entered into the Capture Filter filed on the start screen before you pick your interface.

Screenshot showing the capture filter field on the Wireshark start screen.

Capture Filter for Specific IP in Wireshark

Use the following capture filter to capture only the packets that contain a specific IP in either the source or the destination:

host 192.168.2.11

Capture Filter for Specific Source IP in Wireshark

Use the following capture filter to capture only the packets originating from a specific host:

src host 192.168.2.11

Capture Filter for Specific Destination IP in Wireshark

Use the following capture filter to capture only the packets destined to a specific host:

dst host 192.168.2.11

Capture Filter for Specific Subnet

This one is a little unique in that you can specifiy the filter using either the CIDR notation or the mask.

Use the following Capture Filters to capture only the packets that contain a specific subnet in the source or destination:

net 192.168.2.0/23

Or

net 192.168.2.0 mask 255.255.254.0

You can prepend this filter with src and dst to limit the capture to packets with addresses within the specified subnet that are in the source or destination respectively.

Recommended for You: Solarwinds Network Performance Monitor (NPM)

Do you know the health of your networking equipment? Know when something goes down before a user reports problems? Know where your bandwidth is going or where you’re losing your packets?

Automate data collection and alerting of your networking infrastructure with Solarwinds NPM so you know exactly what is going on in your network and can sleep easy.

Unlike other tools, NPM is ready to out of the box with most common makes and models of networking equipment. No messing around with custom templates, xml files, or code to extract important information.

Leave a Reply

Your email address will not be published. Required fields are marked *