Remote Wireshark recipe

05.11.2012 17:03

Recently I've been trying to debug some SSL connection problems on remote machines. While tcpdump in an console-only ssh sesion usually does the trick for me, this time I really needed the user-friendliness of filters and SSL decryption features in Wireshark. I really didn't want to install Wireshark on a head-less server and do X11 forwarding, so I used tcpdump to do the actual capture on the server and forwarded the stream through a pipe and an ssh connection to Wireshark on my laptop.

Here's the recipe, mostly for my record and in case someone else might find it useful. I had problems with other recipes I found, since they either use dumpcap, which I don't have on the remote, or make it hard to start the packet capture command through sudo.

On remote machine:

$ mkfifo foo
$ sudo tcpdump not port 22 -U -w - >foo

(just pointing -w to a pipe won't work)

On the local machine:

$ wireshark -k -i <(ssh example.com cat foo)
Posted by Tomaž | Categories: Code

Add a new comment


(No HTML tags allowed. Separate paragraphs with a blank line.)