How to Filter by IP Address in Wireshark
Network admins encounter a wide range of network issues while doing their work. Whenever there is a suspicious action or a need to evaluate a particular network segment, protocol analyst tools such as Wireshark can come in handy. One particularly useful feature is filtering network packets by IP addresses.
If you’re a first-time user, you may find it a bit challenging to configure the steps for doing so on your own. Fortunately, we’ve assembled this ultimate guide on how to filter by IP in Wireshark. You’ll walk away knowing the difference between its two filtering languages, learning new filter strings, and much more.
The best thing is that you’ll only need assistance in performing these steps the first time. Each following performance will be a piece of cake!
What Is Wireshark?
Wireshark is a network packet analyzer dominating the industry space for quite a while now. It’s been great up to the point of shelving many similar tools, including the Microsoft Network Monitor. The two main features that made Wireshark famous are its flexibility and ease of use.
Network packet analyzers are tools that capture and analyze data traffic in as much detail as possible in specific communication channels. They serve as ultimate diagnostic tools for embedded systems.
Wireshark comes with the top-notch ability to filter packets during capture and upon analysis with different complexity levels. This makes it equally convenient for first-timers as well as for network monitoring professionals. Wireshark also ingests and analyzes traffic from various other protocol analyzers, making it straightforward to review past traffic at specific points.
Before Wireshark, network tracking tools used to be very expensive or proprietary. That all changed with the advent of this app. The software is open-source and supports all major platforms. This brought Wireshark lots of community support, removing the cost as a barrier and making room for a wide range of training opportunities.
Here’s why people may want to use Wireshark:
- Troubleshooting network problems
- Examining security problems
- Examining network applications
- Debugging protocol implementations
- Learning about network protocol internals
Wireshark is free to download. In case you still haven’t, you can do so here. Just download the executable and click on the file to install it.
The Wireshark User Interface
After downloading and installing Wireshark, you can access it from your local shell or window manager. One of the first things you have to do is choose a network interface out of the list of networks on your computer adapters.
You can click on Capture, then Interfaces from the menu, and choose the appropriate option.
The main window in the Wireshark interface consists of several parts:
- Menu – used to start actions
- Main toolbar – quick access to items you often use from the menu
- Filter toolbar – you can set display filters here
- Packet list pane – captured packet summaries
- Details pane – more information about the selected packet from the packet lane
- Bytes pane – data from the packet list pane packet, highlighting the chosen field in that pane
- Statusbar – captured data and ongoing program state information
You can control the packet lists and navigate through details entirely with your keyboard. There’s a table showing common keyboard shortcut commands here.
How to Add Filters in Wireshark?
The Filter toolbar is where you can customize and run new display filters.
To create and edit capture filters, go to Manage Capture Filters from the bookmark menu or navigate to Capture, then Capture Filters from the main menu.
To create and edit display filters, select Manage Display Filters from the bookmark menu or go to the main menu and select Analyze, then Display Filters.
You’ll see a filter input section with a green background. This is the area where you enter and edit display filter strings. This is also where you can see the currently applied filter. Simply click on the filter name or double-click the string to edit it.
As you write, the system will do a system check of the filter string. If you enter an invalid one, the background turns from green to red. Always hit the Apply button or the Enter key to apply the filter string.
You can add a new filter by clicking on the Add button, which is a black plus sign on a light-gray background. Another way to add a new filter is to right-click on the filter button area. To remove a filter, click on the minus button. The minus button will be grayed out if there’s no filter selected.
How to Filter by IP Address in Wireshark?
An excellent feature of Wireshark is that it lets you filter packets by IP addresses. Just follow the steps below for instructions on how to do so:
- Start by clicking on the plus button to add a new display filter.
- Run the following operation in the Filter box: ip.addr==[IP address] and hit Enter.
- Notice that the Packet List Lane now only filters the traffic that goes to (destination) and from (source) the IP address you entered.
- To clear the filter, click on the Clear button in the Filter toolbar.
You can restrict the packet view to those with particular source IP addresses that appear in that filter. Just run the following command in the filter box and hit Enter:
ip.src == [IP address]
You can apply destination filters to restrict the packet view to those with a specific destination IP showing in the filter.
The command is as follows:
ip.dst == [IP address]
Capture Filter vs. Display Filter
Wireshark supports two filtering languages: capture filters and display filters. The former is used for filtering while capturing packets. The latter filters displayed packets. With display filters, you can focus on packets you’re interested in and hide those not currently important. You can display packets based on several factors:
- Field presence
- Field values
- Field comparison
Display filters use a boolean operator syntax and fields that describe the packets you’re filtering. Once you create a few display filters, it becomes easy to write them. Capture filters are a bit less intuitive since they are cryptic.
Here’s an overview of each filter’s features and uses:
- They are set before starting to capture traffic
- Impossible to change during traffic capturing
- Used for specific traffic type capturing
- They reduce the packets that are showing in Wireshark
- Can be customized during traffic capturing
- Used to hide traffic to assess specific traffic types
For more information on filtering while capturing, visit this page.
How Do I Filter Wireshark by URL?
You can search for given HTTP URLs in capture in Wireshark by using the following filter string:
http contains “[URL]. “
Note that you can’t use the contains operators on atomic fields (numbers, IP addresses.)
How Do I Filter Wireshark by Port Number?
You can use the following command to filter Wireshark by port number:
Tcp.port eq [port number].
How Does Wireshark Work?
Wireshark is a network packet sniffing tool. It analyses network packets by using an internet connection and registering packets traveling across it. It then provides the users with the information on those packets, including their origin, destination, content, protocols, messages, etc.
Going 007 on Network Sniffing
Thanks to Wireshark, network engineers and administrators no longer have to worry about missing out on diagnostic tools for essential network issues. The program’s easily accessible and convenient features make it much more straightforward to assess network vulnerabilities and perform troubleshooting.
After reading our article, you should now be able to tell the difference between different filter options in the program related to IP filtering. You also learned the basic string expressions for filtering by IP and much more. Hopefully, this will help solve whatever network issues you may be encountering.
What other features do you often use in Wireshark? What do you think makes Wireshark stand out from the competition? Share your thoughts in the comments section below.