In our environment we do a lot of live traces on specific interface on a Linux server, and pipes the result back to our Windows PC where it is presented in wireshark. We use PLINK to open a SSH connection to the server and have the stream piped back: plink.exe -ssh -pw somepassword [email protected] tcpdump -i eth4 -s 0 -w - | "C:\Program Files\Wireshark\Wireshark.exe" -k -i - This works just fine, but now we need to traces simultanously on two different Linux servers and have the two streams merged into one and presented in Wireshark. Does anyone know if that's possible or have a hint on what to try? asked 27 Jul '12, 00:52  sblar |
2 Answers:
you can't just merge several streams, as that's binary data in libpcap format. What you need is this:
Windows:
Linux:
UPDATE: rpcapd for Linux (WinPcap), together with the multiple interface capture capability of Wireshark 1.8, could be an alternative for the scripting solution. Try to compile and run rpcapd on your linux systems. Then use dumpcap with multiple -i statements to capture from both/all systems.
You can write the output of dumpcap to STDOUT by using
I have not tested, but it should work. Or run wireshark with -i directly (not tested either)
Other Alternatives: You could also use rpcap for linux. With that you don't need the named pipes on linux. Just one tool that connects to several linux hosts, gets the captured data and writes the frames of all hosts to STDOUT. However, using rpcap requires some programming skills. Regards answered 27 Jul '12, 03:01  Kurt Knochner ♦ edited 29 Jul '12, 02:06 showing 5 of 9 show 4 more comments |
Seeing as this is actually fairly recent... For what it's worth, I'll leave here my preferred one-liner solution for live remote capture on non-standard ssh ports using Windows' version of wireshark and standard tcpdump on whatever flavor of Linux the remote machine has. It doesn't strictly require you to use a key to authorize, but if you don't, it stops being a one-liner. Also, it isn't hugely efficient in that some of the packets get lost to whatever perils there exist in ssh tunnels... Yet it allows you to benefit from the convenience of Windows Wireshark while utilizing the power of Linux's tcpdump. I experimented with opening remote/local tunnels seeking to capture and display all the packets that came, even if they would be displayed with a delay, and this so far is the most accurate representation. Still, not ALL the packets show up on the capture, compared to a local file tcpdump dump. For various reasons of convenience, I can't/don't want to use named pipes unless they can be incorporated into a one-liner. The quest continues :) Anyway, using cygwin with standard packages:
(Unconvinced about gzip|gunzip, but so far my tests show that fewer packets get lost this way, at the cost of speed and latency of course.) answered 17 Apr '16, 02:21  katzurki |
Thanks Kurt. I got the picture and understand the general idea, but I have no clue on how to write a tool that reads from all pipes and parse the pcap stream so that each frame will come out one by one. Can anyone enlighten me?
Also, I forgot to mention that the resulting trace must contain all frames in cronological order, but maybe that's not an issue at all?
without programming knowledge, it's rather hard to acomplish. You can start with the sample script (link above).
That's even harder to do, as you need to buffer the frames from all machines and then write them in the right (chronological order).
BTW: Why do you need a "live" stream? Can't you just write the captured data on all linux machines to a file and then use
mergecapto merge those files into one (chronological order is possible)?see my UPDATE in the answer.
Thanks againg Kurt, I will look into your suggestions in detail. I'm a little confused though since I can't separate the alternatives from each other; can rpcap for Linux fulfill my needs without programming? After your suggestion to use WinPcap on Linux, you wrote "Try to compile and run rpcapd on your linux systems". Was that a typo or another alternative? Does any of your suggestion work (without programming) when I need the correct order of frames?
I could write data from each machine to file and merge them directly in Wireshark (even without mergecap), in fact that's how we are forced to do it in the production environment, but in the lab, live trace is so much nicer because we can change the setup (SIP) and see the result immediately.
BTW: Can Wireshark 1.8.x with it's multiple interface possibility help me in any way?
No.
it's an alternative, that I did not think about when I suggested rpcap. rpcapd (Winpcap) is the better alternative for you and you don't need programming skills.
No. Only with mergecap it is possible to merge the capture files in chronoligical order. The other solutions will output the packets as they arrive. However, if the time on the linux machines is synchronized with NTP and there is not much data, the packets will be in chronological order (more or less).
Why is chronological order of two different machines important for you?
That was my last suggestion in the answer. Use Wireshark with multiple -i options. It's the same as within the GUI.
Ah, now I see. rpcap and rpcapd are two different things. I didn't notice that, for the same reason that I didn't catch your last suggestion: So much (excellent) information :-)
The cronological order is important to see correct sequence for a call (SIP) as it traverses several servers (proxies, user agents, registrars etc.). Some of these servers are located in different networks (even in the lab), hence the need for multiple trace sources. All the servers are synced with NTP and there not too much data, so maybe we are good here...
Anyway, thank you so much for your effort. It looks promising and I will post the result here if I get it to work.
O.K. good luck!
Sorry for this very late update, the solution was put together just a few days ago.
We have compiled rpcapd for linux and put in on two servers which tap on a switch in their local site.
From our workstations we start Wireshark with command line parameters (multiple -i rpcap://<host>/<adapter> -f <capture filter="">).
This works well and we can now merge the streams from the two sites into one monitor session. With this approach, compared to what we used to do, we can stop and restart the capture in the same Wireshark session.
Thanks again Kurt for putting me in the right direction.
You're welcome.