C4colo
Co-Op-Founder
Joined: 16 Apr 2007
Posts: 52
|
 Posted: Wed Oct 22, 2008 5:39 pm Post subject: Remote Wireshark Packet Capture using SSH |
 |
|
Recently I needed to debug some traffic on a connection running through a router that was on another network segment than I was on. Running tcpdump on the console is only so useful and I wanted to be able to watch the connection in real time (instead of saving a pcap file and transferring it).
The computer running Wireshark must be a linux computer (if you figure out how to do this on windows let me know).
With a little research I pulled this info together from multiple sites. Here is how I did it:
On the computer running Wireshark:
1) Create a pipe on your filesystem
| Code: |
mkfifo /tmp/wspipe &
|
2) Start Wireshark from the command line listening to the pipe
| Code: |
wireshark -k -i /tmp/wspipe
|
3) Start the ssh connection executing a remote command:
| Code: |
ssh root@some-server tcpdump not port 22 -w - > /tmp/wspipe
|
(If you do not have certificates set up it will prompt for the password before connecting)
Change the tcpdump parameters to suit your needs ... remember to exclude the host that is running Wireshark, or exclude port 22.
The above command basically runs a remote command via ssh on the server, then pipes the result out to stdout (-w -), which is piped on the local machine to /tmp/wspipe/
Let me know if you have any suggestions.
Clifford |
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
