How to Filter Traffic by Source IP Addresses in Wireshark

Here are a few ways to filter by source IP address, destination IP address, and protocol in Wireshark:

To show only HTTP traffic between two specific IP addresses:

(ip.src == 192.168.1.100 and ip.dst == 192.168.1.200) and http

To break this down:

• ip.src == 192.168.1.100 filters by source IP address
• ip.dst == 192.168.1.200 filters by destination IP address
• and http further filters to only show HTTP protocol traffic

You can also filter by TCP/UDP ports in addition to IP addresses:

(ip.src == 192.168.1.100 and tcp.srcport == 80 and ip.dst == 192.168.1.200 and tcp.dstport == 8080) and http

This filters for HTTP traffic from 192.168.1.100 port 80 to 192.168.1.200 port 8080.

Some other examples:

(ip.addr == 192.168.1.100 or ip.addr == 192.168.1.200) and tcp.port == 80 

Show TCP port 80 traffic to/from 192.168.1.100 or 192.168.1.200.

(ip.src == 192.168.1.100 or ip.dst == 192.168.1.100) and udp 

Show all UDP traffic involving 192.168.1.100.

The key is you can combine IP address, port, and protocol filters using and and or to precisely filter the traffic you want to analyze in Wireshark.