Sometimes you want to run Wireshark on a remote connection, and it is relatively simple. This works on Mac and Linux, and probably other nux devices (BSD, Hurd etc).
- Prepare the remote computer - on the remote computer, you need
tcpdumpinstalled. So with your favourite package manager, you want something like
sudo apt-get install tcpdump
- On your desktop, make a named pipe:
- Run wireshark from the terminal:
wireshark -k -i /tmp/paccap
- Now connect the remote TCP dump to your fifo queue:
ssh user@hostname "sudo tcpdump -s 0 -U -n -w - -i INTERFACENAME not port 22" > /tmp/paccap
This last line needs the interface name and the user/host replacing - e.g. its probably
wlan0 or similar - use
ip a or
ifconfig to get a list of your interfaces
- The user in the last step can be root, but only if root ssh logins are enabled in the remote's sshd. If not, you have to sudo (as per this command). To Sudo though, you need a no-password line in the sudoers, either globably or just for tcpdump. You probably can't run tcpdump as a user.
- You want to keep the
not port 22as a safety in case you get the wrong interface. Because you're ssh'ing into port 22, and then sending all the packets back, it will then try to dump the fact you sent a packet back and get into a loop of creating more and more data.