Remote packet capture

By jonmoore | Published: January 17, 2010

Had a need to capture some traffic on the remote machine and analyze it in Real Time ™.  Found to solutions to this.  The first, involved just sending the output of tcpdump across the ssh session.

ssh host.example.org tcpump - eth0 -w - > capture.pcap

The other method, picked up from the wireshark wiki allows for the captured traffic to be viewed as it’s being captured in wireshark.  This is done using a combination of ssh and a fifo pipe.  The exact command can very slightly, and I suggest reading the relevant man pages, but something similar to the following (taken from their wiki) should do the trick.

mkfifo /tmp/pipe
ssh user@remote-host "tshark -w - not port 22" > /tmp/pipe
wireshark -k -i /tmp/pipe

Related posts:

  1. Extend the timeout on SSH connections A quick google search will quickly answer this question, but...

Related posts brought to you by Yet Another Related Posts Plugin.

This entry was posted in Uncategorized. Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>