How to do it...

Let's look at the following diagram, in which we have a server, PCs, and a router, connected to a LAN switch. Wireshark is running on the laptop connected to the LAN switch, with port mirror to the entire switch (to VLAN1).

The /24 notation in the diagram refers to a subnet mask of 24 bits, that is, 11111111.11111111.11111111.00000000 in binary or 255.255.255.0 in decimal:

Follow the instructions in the Configuring capture filters recipe, and configure the filters as follows:

• To capture packets only from/to a specific MAC address, configure ether host 00:24:d6:ab:98:b6.
• To capture packets going to a destination MAC address, configure ether dst 00:24:d6:ab:98:b6.
• To capture packets coming from a source MAC address, configure ether src 00:24:d6:ab:98:b6.
• To capture broadcast packets, configure ether broadcast or ether dst ff:ff:ff:ff:ff:ff.
• To capture multicast packets, configure ether multicast.
• To capture a specific ether type (number in hexadecimal value), configure ether proto 0800. You can also write ether proto \ip (the backslash is used when a keyword is used as a value).