remote – Ryan Schulze

Wireshark remote capturing

March 8, 2011May 13, 2013Ryanbash, remote, tcpdump, wireshark

yeah, this is real simple stuff, not really worth writing a script for it. but on the other hand it saves me from remembering how to do it every time I need it (which isn’t often). So here is a little script to setup remote capturing with wireshark.
All it basically does is ssh to the remote host and tcpdump sucking the output via stdout through the ssh connection to a local pipe, that is then used by wireshark to display the stream. Because of this you may want to make sure you aren’t capturing your own ssh data when doing this 😉

#!/bin/bash

destination="1.2.3.4" # server to run the remote capture on
filter="port 80"      # tcpdump filter options
interface="eth0"      # interface to listen on on remote server
opts="-n -p -s 0"     # other tcmpdump options

##### let the fun begin #####

mypipe="/tmp/remotecap.$$.cap"
mkfifo ${mypipe}

ssh root@${destination} "tcpdump ${opts} -i ${interface} -w - ${filter}" &gt; ${mypipe} &amp;
pipepid=$!

wireshark -k -N ntC -t a -i ${mypipe}

kill ${pipepid}
rm -f ${mypipe}

#!/bin/bash

destination="1.2.3.4" # server to run the remote capture on

filter="port 80" # tcpdump filter options

interface="eth0" # interface to listen on on remote server

opts="-n -p -s 0" # other tcmpdump options

##### let the fun begin #####

mypipe="/tmp/remotecap.$$.cap"

mkfifo ${mypipe}

ssh root@${destination} "tcpdump ${opts} -i ${interface} -w - ${filter}" > ${mypipe} &

pipepid=$!

wireshark -k -N ntC -t a -i ${mypipe}

kill ${pipepid}

rm -f ${mypipe}