I need help with filters!

Hi there,
I’m new to Wireshark and have only a short time to quickly set it up for a very specific purpose. I’m working with law enforcement to attempt to determine who may be remotely accessing a computer that’s involved in a legal case. I can’t give any details, as it’s a case that’s currently in progress, but the idea is that we suspect that someone may be accessing and perhaps controlling a specific computer via a backdoor or that they may be installing spyware on the computer in question.

There is plenty of software out there for detecting spyware, but all of this software that I’ve reviewed so far merely prevents the access and doesn’t identify the IP address of the attacker. We want to do the opposite. We want to allow the access and get the IP address of the attacker.

I’ve installed Wireshark on this system and began capturing for less than a minute and ended up with a capture file that was 19 MB in size! This is too big a file for the owner of that computer to email to us for analysis.

So, with all of that explanation out of the way, I’m hoping that some kind soul out there (maybe you?) could help us by telling us specifically what to type in for a capture filter that would capture only the data we’re interested in and keep the capture file size reasonable (small enough to be emailed).

Thank you for your help!
Scott