While it is always possible to use capture filters (which have their own syntax), experience has shown that it is usually better to capture everything on the wire and then use display filters to zero in on the desired packets.
One specific device ip.addr == xxx.xxx.xxx.xxx
Two specific devices ip.addr == xxx.xxx.xxx.xxx and ip.addr == xxx.xxx.xxx.xxx
Either of two devices ip.addr == xxx.xxx.xxx.xxx or ip.addr == xxx.xxx.xxx.xxx
Sending IP device ip.src == xxx.xxx.xxx.xxx
Receiving IP device ip.dst == xxx.xxx.xxx.xxx
BACnet traffic with Application layer message bacapp
Who-Is, I-Am, UnconfirmedCOVNotification , etc. bacapp.unconfirmed_service
Who-Is bacapp.unconfirmed_service==8
I-Am bacapp.unconfirmed_service==0
UnconfirmedCOVNotification bacapp.unconfirmed_service==2
BACnet messages with Network layer bacnet
Network layer messages (w/o Application Layer) bacnet.control_net ==1
Who-Is-Router-To-Network bacnet.mesgtyp==0
I-Am-Router-To-Network bacnet.mesgtyp==1
Either of the above with a specific network "y" bacnet.mesgtyp==x and bacnet.dnet==y
BACnet/IP traffic bvlc
Write-Broadcast-Distribution-Table bvlc.function==1
Forwarded-NPDU bvlc.function==4
Distribute-Broadcast-To-Network bvlc.function==9
Original-Broadcast bvlc.function==11
