One way to break down a large capture is by filtering a specific IPv4 or IPv6 address, and then use that for your analysis. For example, you know that a specific host is having a problem, and you want to home in on that IP address to troubleshoot the issue.

Let's review how to narrow your search. In any large capture, you will most likely have captured many IP addresses. Go to the bottom of the Statistics menu, where you will see menu choices for both IPv4 Statistics and IPv6 Statistics, as shown in the following screenshot:

The IP statistics have four choices for either IPv4 or IPv6, which include All Addresses, Destinations and Ports, IP Protocol Types, and Source and Destination Addresses, as follows:

• All Addresses: Provides a sortable list of IP addresses with additional information such as Count and Burst rate:

• Destination and Ports: Provides similar information to All Addresses such as Count and Burst rate. However, this report shows a more advanced list that breaks down each IP address with additional statistics on TCP and UDP, as displayed in this screenshot:

• IP Protocol Types: Provides a basic list of transport layer protocols:

• Source and Destination Addresses: This currently looks like All Addresses, as shown in the screenshot captioned Statistics: All Addresses, as it may be still in development.

After you run the report, you can search for an IP address with specific characteristics, and then run a filter.

While subsetting traffic by IP addresses may be helpful to home in on troublesome hosts, another way to break down a large capture is by using conversations, which represent two endpoints that are communicating with each other.