This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

In our environment we do a lot of live traces on specific interface on a Linux server, and pipes the result back to our Windows PC where it is presented in wireshark. We use PLINK to open a SSH connection to the server and have the stream piped back:

plink.exe -ssh -pw somepassword [email protected] tcpdump -i eth4 -s 0 -w - | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

This works just fine, but now we need to traces simultanously on two different Linux servers and have the two streams merged into one and presented in Wireshark.

Does anyone know if that's possible or have a hint on what to try?

asked 27 Jul '12, 00:52

sblar's gravatar image

sblar
16114
accept rate: 0%


you can't just merge several streams, as that's binary data in libpcap format. What you need is this:

  • write the output every ssh connection to a named pipe (possible with linux and windows)
  • Create a tool that reads from all named pipes and parses the pcap files. Then the tool would output the frames one by one. Either to another named pipe or to STDOUT.
  • Wireshark reads from the named pipe or from STDIN (as you do now)

Windows:

  • run several plink commands and write the output to \\.\pipe\linuxhost1, \\.\pipe\linuxhost2, \\.\pipe\linuxhost3, etc.
  • Use a python/perl script to read from those pipes and let it write to another pipe (\\.\pipe\linuxhostall) or to STDOUT. Sample script: http://wiki.wireshark.org/CaptureSetup/Pipes - Way 3: Python
  • Let Wireshark read from \\.\pipe\linuxhostall or STDIN

Linux:

  • run just one plink command to a Linux system and run a shell script within that ssh connection
  • the shell script creates the named pipes (mkfifo - see link above) and starts several ssh connections to other linux hosts (similar to your plink commands). The output of every ssh connection goes to one of the named pipes. You MUST suppress any output to STDOUT (see below) !!
  • then start a script (perl/python - see example in the link above, or google one) that reads from all named pipes, parses the pcap files and writes the frames one by one to STDOUT
  • STDOUT will be piped to Wireshark (as your script runs in the plink session)

UPDATE:

rpcapd for Linux (WinPcap), together with the multiple interface capture capability of Wireshark 1.8, could be an alternative for the scripting solution.

Try to compile and run rpcapd on your linux systems. Then use dumpcap with multiple -i statements to capture from both/all systems.

http://ask.wireshark.org/questions/13012/remote-packet-capturing-from-command-prompt

You can write the output of dumpcap to STDOUT by using -w - as last parameter.

dumpcap -n -i rpcap://[10.0.0.1]/eth0 -i rpcap://[10.0.0.2]/eth1 -w - | wireshark -k -i -

I have not tested, but it should work. Or run wireshark with -i directly (not tested either)

wireshark -k -n -i rpcap://[10.0.0.1]/eth0 -i rpcap://[10.0.0.2]/eth1

Other Alternatives:

You could also use rpcap for linux. With that you don't need the named pipes on linux. Just one tool that connects to several linux hosts, gets the captured data and writes the frames of all hosts to STDOUT. However, using rpcap requires some programming skills.

Regards
Kurt

permanent link

answered 27 Jul '12, 03:01

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 29 Jul '12, 02:06

Thanks Kurt. I got the picture and understand the general idea, but I have no clue on how to write a tool that reads from all pipes and parse the pcap stream so that each frame will come out one by one. Can anyone enlighten me?

Also, I forgot to mention that the resulting trace must contain all frames in cronological order, but maybe that's not an issue at all?

(28 Jul '12, 02:04) sblar

without programming knowledge, it's rather hard to acomplish. You can start with the sample script (link above).

Also, I forgot to mention that the resulting trace must contain all frames in cronological order, but maybe that's not an issue at all?

That's even harder to do, as you need to buffer the frames from all machines and then write them in the right (chronological order).

BTW: Why do you need a "live" stream? Can't you just write the captured data on all linux machines to a file and then use mergecap to merge those files into one (chronological order is possible)?

(28 Jul '12, 02:47) Kurt Knochner ♦

see my UPDATE in the answer.

(28 Jul '12, 03:19) Kurt Knochner ♦

Thanks againg Kurt, I will look into your suggestions in detail. I'm a little confused though since I can't separate the alternatives from each other; can rpcap for Linux fulfill my needs without programming? After your suggestion to use WinPcap on Linux, you wrote "Try to compile and run rpcapd on your linux systems". Was that a typo or another alternative? Does any of your suggestion work (without programming) when I need the correct order of frames?

I could write data from each machine to file and merge them directly in Wireshark (even without mergecap), in fact that's how we are forced to do it in the production environment, but in the lab, live trace is so much nicer because we can change the setup (SIP) and see the result immediately.

BTW: Can Wireshark 1.8.x with it's multiple interface possibility help me in any way?

(28 Jul '12, 07:16) sblar

can rpcap for Linux fulfill my needs without programming?

No.

Was that a typo or another alternative?

it's an alternative, that I did not think about when I suggested rpcap. rpcapd (Winpcap) is the better alternative for you and you don't need programming skills.

Does any of your suggestion work (without programming) when I need the correct order of frames?

No. Only with mergecap it is possible to merge the capture files in chronoligical order. The other solutions will output the packets as they arrive. However, if the time on the linux machines is synchronized with NTP and there is not much data, the packets will be in chronological order (more or less).

Why is chronological order of two different machines important for you?

BTW: Can Wireshark 1.8.x with it's multiple interface possibility help me in any way?

That was my last suggestion in the answer. Use Wireshark with multiple -i options. It's the same as within the GUI.

(28 Jul '12, 08:05) Kurt Knochner ♦

Ah, now I see. rpcap and rpcapd are two different things. I didn't notice that, for the same reason that I didn't catch your last suggestion: So much (excellent) information :-)

The cronological order is important to see correct sequence for a call (SIP) as it traverses several servers (proxies, user agents, registrars etc.). Some of these servers are located in different networks (even in the lab), hence the need for multiple trace sources. All the servers are synced with NTP and there not too much data, so maybe we are good here...

Anyway, thank you so much for your effort. It looks promising and I will post the result here if I get it to work.

(28 Jul '12, 13:34) sblar

O.K. good luck!

(28 Jul '12, 14:46) Kurt Knochner ♦

Sorry for this very late update, the solution was put together just a few days ago.

We have compiled rpcapd for linux and put in on two servers which tap on a switch in their local site.

From our workstations we start Wireshark with command line parameters (multiple -i rpcap://<host>/<adapter> -f <capture filter="">).

This works well and we can now merge the streams from the two sites into one monitor session. With this approach, compared to what we used to do, we can stop and restart the capture in the same Wireshark session.

Thanks again Kurt for putting me in the right direction.

(09 Apr '13, 05:36) sblar

You're welcome.

(09 Apr '13, 05:50) Kurt Knochner ♦
showing 5 of 9 show 4 more comments

Seeing as this is actually fairly recent... For what it's worth, I'll leave here my preferred one-liner solution for live remote capture on non-standard ssh ports using Windows' version of wireshark and standard tcpdump on whatever flavor of Linux the remote machine has. It doesn't strictly require you to use a key to authorize, but if you don't, it stops being a one-liner. Also, it isn't hugely efficient in that some of the packets get lost to whatever perils there exist in ssh tunnels... Yet it allows you to benefit from the convenience of Windows Wireshark while utilizing the power of Linux's tcpdump. I experimented with opening remote/local tunnels seeking to capture and display all the packets that came, even if they would be displayed with a delay, and this so far is the most accurate representation. Still, not ALL the packets show up on the capture, compared to a local file tcpdump dump. For various reasons of convenience, I can't/don't want to use named pipes unless they can be incorporated into a one-liner. The quest continues :)

Anyway, using cygwin with standard packages:

ssh -i [PATH_TO_PRIVATE_KEY] -p [REMOTEPORT] [REMOTE_USER]@[REMOTE_HOST] "tcpdump -ni [REMOTEINTERFACE] -s 0 -w - not port 22 and not port [REMOTEPORT] | gzip" | gunzip | "[LOCAL_WINDOWS_PATH.EXE]" -k -i -

(Unconvinced about gzip|gunzip, but so far my tests show that fewer packets get lost this way, at the cost of speed and latency of course.)

permanent link

answered 17 Apr '16, 02:21

katzurki's gravatar image

katzurki
612
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×41
×37

question asked: 27 Jul '12, 00:52

question was seen: 9,255 times

last updated: 17 Apr '16, 02:21

p​o​w​e​r​e​d by O​S​Q​A