Remote Wireshark

Remote Wireshark

Sometimes you want to run Wireshark on a remote connection, and it is relatively simple. This works on Mac and Linux, and probably other nux devices (BSD, Hurd etc).

Steps

  1. Prepare the remote computer - on the remote computer, you need tcpdump installed. So with your favourite package manager, you want something like sudo apt-get install tcpdump
  2. On your desktop, make a named pipe: mkfifo /tmp/paccap
  3. Run wireshark from the terminal: wireshark -k -i /tmp/paccap
  4. Now connect the remote TCP dump to your fifo queue: ssh user@hostname "sudo tcpdump -s 0 -U -n -w - -i INTERFACENAME not port 22" > /tmp/paccap

This last line needs the interface name and the user/host replacing - e.g. its probably eth0 or wlan0 or similar - use ip a or ifconfig to get a list of your interfaces

Notes:

  1. The user in the last step can be root, but only if root ssh logins are enabled in the remote's sshd. If not, you have to sudo (as per this command). To Sudo though, you need a no-password line in the sudoers, either globably or just for tcpdump. You probably can't run tcpdump as a user.
  2. You want to keep the not port 22 as a safety in case you get the wrong interface. Because you're ssh'ing into port 22, and then sending all the packets back, it will then try to dump the fact you sent a packet back and get into a loop of creating more and more data.
Mastodon