WEBVTT 00:00.090 --> 00:10.020 In this lecture, we are going to learn how to filter traffic by IP address using IP address filter. 00:10.020 --> 00:20.370 So if you want to find the packets that a particular IP address or addresses have sent or received, 00:20.370 --> 00:23.880 then IP header filter can be used there. 00:24.120 --> 00:26.850 It is a super handy filter. 00:26.850 --> 00:33.780 So in the filter bar type IP dot adder two equal to sines. 00:33.810 --> 00:38.760 Now write the IP address and let me type my own IP address. 00:38.760 --> 00:39.780 192. 00:42.050 --> 00:43.670 .68. 00:43.680 --> 00:53.840 Now, this filter is going to display all the packets that contain this IP address or all the packets 00:53.840 --> 00:59.750 that this particular IP address has sent or received. 00:59.780 --> 01:00.170 Right. 01:00.170 --> 01:09.360 So if I press enter now, you are going to see this IP address either under source or destination column. 01:09.380 --> 01:10.460 As you can see here. 01:10.550 --> 01:11.060 Right. 01:11.510 --> 01:18.770 And of course, you can use our operator here to combine multiple IP addresses. 01:19.070 --> 01:21.140 IP dot header. 01:21.140 --> 01:26.540 And instead of writing a two equal to sines, we can use simply IQ. 01:26.570 --> 01:28.340 It also means equal to. 01:28.390 --> 01:28.660 Okay. 01:28.670 --> 01:31.310 Now I'm going to specify another IP address. 01:32.930 --> 01:43.040 This time, IP added with our operator, it is going to display all the packets that these two specified 01:43.040 --> 01:46.490 IP addresses have sent or received. 01:46.490 --> 01:47.060 Right. 01:47.420 --> 01:53.090 Of course, in this way, guys, you can combine as many IP addresses as you like. 01:53.240 --> 01:58.430 Now let me show you the use of and operator here. 01:58.430 --> 02:01.490 So IP header equal to IP address then. 02:01.490 --> 02:01.940 Right. 02:01.940 --> 02:13.460 And UDP now what basically it means, I am telling Wireshark that show me only the UDP packets that 02:13.460 --> 02:18.380 this particular IP address has sent and received. 02:18.410 --> 02:28.370 So this filter will only display the packets that contain both UDP and this IP address. 02:28.460 --> 02:31.910 This is how the end operator works. 02:31.940 --> 02:35.000 Both the conditions must be true. 02:35.000 --> 02:42.830 So first condition is that the packet must contain this IP address and second condition is packet also 02:42.830 --> 02:45.170 needs to have UDP in it. 02:45.380 --> 02:53.540 So if I press enter, as you can see guys under the protocol column, it is only displaying DNS and 02:53.540 --> 02:59.480 other protocols that use UDP for the data transportation. 02:59.630 --> 03:07.380 So let me click on let's say packet number six and pull the packet details up. 03:07.400 --> 03:10.910 As you can see down here, we have the UDP protocol, right? 03:10.940 --> 03:16.630 User datagram protocol here, both the conditions are true. 03:16.640 --> 03:17.030 Right. 03:17.030 --> 03:20.660 So first condition is that IP address must be this. 03:20.660 --> 03:29.090 So if you check the internet protocol version for in the destination field, we have this specified 03:29.090 --> 03:33.410 IP address and the protocol is UDP. 03:33.410 --> 03:34.390 In the same way. 03:34.400 --> 03:43.920 Let's say you only want to display the TCP packets that this particular IP address has sent or received. 03:43.940 --> 03:44.950 Hit enter. 03:44.960 --> 03:53.450 Now you are only going to see TCP packets that this specified IP address has sent or received. 03:53.450 --> 03:53.990 Right. 03:54.140 --> 03:56.780 Or we can use node operator here as well. 03:56.780 --> 04:05.300 So if you type not IP header equal to this IP address, it means I am telling Wireshark that do not 04:05.300 --> 04:11.630 show me packets that this particular IP address has sent or received. 04:11.630 --> 04:18.380 So if I hit enter, as you can see guys under the source or destination column, you are not going to 04:18.380 --> 04:21.050 see this IP address at all. 04:21.050 --> 04:30.080 And if you want to negate traffic of multiple IP addresses, then you can specify those IP addresses 04:30.080 --> 04:34.730 within the brackets using our operator, of course, or. 04:37.100 --> 04:37.390 Okay. 04:37.400 --> 04:38.390 Just like this. 04:38.540 --> 04:46.280 Now it has removed packets that both the specified IP addresses have sent or received. 04:46.280 --> 04:46.700 Right. 04:46.730 --> 04:50.820 Now let's narrow down the IP adder filter. 04:50.840 --> 05:00.710 If you are interested in packets that a particular IP address has sent, so write IP dot source. 05:00.740 --> 05:08.350 This filter is only going to display the package that this IP address has sent. 05:08.360 --> 05:15.230 So if I hit enter under the source column, as you can see, you are only going to see this IP address 05:15.230 --> 05:19.580 or package that the specified IP address has sent. 05:19.880 --> 05:30.500 And if you want to find the packets that an IP address has received, then replace source with DSD. 05:30.530 --> 05:32.360 DSD means a destination. 05:32.510 --> 05:39.170 Now, Wireshark is going to display the packets that this IP address has received. 05:39.170 --> 05:46.610 So if I hit enter under the destination column, as you can see, we have the specified IP address. 05:46.610 --> 05:53.360 So these are all the packets that the specified IP address has received.