HOWTO: Use Wireshark over SSH (Linux and Windows)

You want to use tcpdump in combination with Wireshark but on the server there is no X environment or no Wireshark installed?
No problem. Run Wireshark on your desktop (Linux or Windows) and capture on the remote server.

Linux

ssh remote-host "tcpdump -s0 -w - 'port 8080'" | wireshark -k -i -

This will run tcpdump on host “remote-host” and capture full packages (-s0) on port 8080. The output is sent over SSH to the local host’s “stdout” where Wireshark is waiting on “stdin” for input. (-k means start immediately).

There are a few things that may make the line above not work in your case. Make sure tcpdump is on the path on your remote host or change the line to include the path a la:

ssh remote-host "/usr/sbin/tcpdump -s0 -w - 'port 8080'" | wireshark -k -i -

You may also need to run tcpdump with sudo which means you need to change the command to:

ssh remote-host "sudo /usr/sbin/tcpdump -s0 -w - 'port 8080'" | wireshark -k -i -

Please note! Such a remote capture session can be pretty heavy on the network depending on the application. Make sure you filter as much as possible on the remote side using tcpdump’s filters.

Windows

On Windows plink.exe works best for me. Get it from the putty website.

plink -ssh username@remote-host "tcpdump -s 0 -w - 'port 8080'" | wireshark -i -

On Windows I have to omit the Wireshark option -k (immediately start capture) and manually start it from the Wireshark UI once SSH keyboard authentication is done. Alternatively, one can provide the password to plink using the -pw option.

Again, it may be that you have to provide the full path to tcpdump and/or wireshark. It also may be that you have to run tcpdump with sudo.

Advertisements

4 Responses to HOWTO: Use Wireshark over SSH (Linux and Windows)

  1. Chinmoy says:

    Hi Vijay,
    Could you please give some more details on windows operation. I mean where to type the comman, do we need to run both Putty an PLink together.

    • Grex says:

      Example:
      “C:\tools\plink.exe” -ssh user@127.0.0.1 “tcpdump -s 0 -w – ‘port 8080′” | “C:\Program Files\Wireshark\Wireshark.exe” -i -k –

  2. Robert Ross says:

    What interface do you start manually on Windows Wireshark to see the piped traffic?

  3. Anonymous says:

    Hi,
    In case of linux, with the ssh being used, we cannot control the size or rotation logic. So can you please let us know is there any way to stop the tcpdump that is remotely executed based on the size limit that can be specified by the user.

    Thanks,
    Sindhu

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: