Call record analysis is the most critical task for the Law Enforcement Agencies (LEAs) in a cyber-investigation process. It provides valuable information in the investigation, such as time and date and the duration of incoming and outgoing calls. The technological advancement of smartphones and the versatility of Instant Messaging (IM) applications provide multiple communication channels to cybercriminals for communication, making it difficult for the LEAs to monitor/investigate using traditional forensics tools and techniques. The most challenging part is to retrieve specific information from the network traffic of a particular IM Application such as WhatsApp. This research article’s primary purpose is to find the IP address of the cybercriminal using WhatsApp through existing sniffing techniques and tools. A method called rule-based extraction for sniffing packets is proposed for extracting the most relevant data from the network traffic. The results support LEAs to identify the cybercriminals’ specific traffic and help in analyzing and comparing the mobile phone data with the network traffic.