If you're playing with WireShark, then you should be able to use the MAC address filter:
https://www.wireshark.org/docs/dfref/e/eth.html
What are you trying to find exactly? As this is not going to show you everything through a routed network.
Not to mention, all clients are going to be communicating with the SEPM over 8014 (default) anyway, so there's no way from networking information alone, that you're going to be able to tell whether it's doing a normal hearbeat or grabbing defs.
I'd suggest you look in the SEPM logs instead for this sort of information. I've found the below logs handy:
Log Type: System
Log Content : Client Activity
Event Source: SYLINK
These logs will tell you which client is downloading defs, and where from, as per the below example:
In the place of TEST_SEPM, I've also got entries that state a GUP instead...