This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is it possible to do this:

$ mkfifo /tmp/sharkfin
$ wireshark -k -i /tmp/sharkfin &
$ ssh [email protected] "dumpcap -w - not port 22" > /tmp/sharkfin

On a linux box, connecting via SSH to a Windows box? ie, the Windows box is the one performing the actual capture and passing the traffic back to the Linux box.

Any reason why it wouldn't work?

As a side note, yes, I know about rpcap, but I don't want to use it if I can help it.

asked 01 Sep '12, 20:02

DefensiveDepth's gravatar image

DefensiveDepth
1111
accept rate: 0%


Well, I tried it UN*X-to-UN*X , and it worked, as long as I quoted the filter in the dumpcap command and told it to dump in pcap rather than pcap-NG format (this is with the version on the trunk, but the same applies to 1.8.x), i.e.

ssh [email protected] "dumpcap -P -w - 'not port 22'" > /tmp/sharkfin

If it's pre-1.8, you can, and need to, leave the -P flag out.

For Windows, it'll probably work too, but you'd have to have an ssh daemon on the Windows box and arrange that, if you try to ssh to the Windows box and run dumpcap, it finds dumpcap - you might have to explicitly specify the path to dumpcap.

permanent link

answered 02 Sep '12, 16:08

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335195
accept rate: 19%

$ ssh [email protected] "dumpcap -w - not port 22" > /tmp/sharkfin Any reason why it wouldn't work?

You did not specify the interface number for dumpcap, so it will use the first interface. That might not be your LAN interface (depends on the configuration of your windows system).

Please run this command from the Linux box.

$ ssh [email protected] "dumpcap -D -M"

It will show you two things:

First: if dumpcap is found, without specifying the full path. If not, run the following command:

$ ssh [email protected] "%PROGRAMFILES%\Wireshark\dumpcap -D -M"

Second: if the first interface (Interface ID 1), is the one you want to capture on. If not, please run this command, by specifying the interface number.

$ ssh [email protected] "dumpcap -ni 2 -w - not port 22" > /tmp/sharkfin

BTW: The SSH Daemon on Windows may have problems forwarding the binary data through the SSH tunnel. That's unlikely but not impossible. What is the SSH daemon you were using on Windows?

Regards
Kurt

permanent link

answered 08 Aug '13, 07:59

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.7k1037236
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×254
×154
×59
×25

question asked: 01 Sep '12, 20:02

question was seen: 3,297 times

last updated: 08 Aug '13, 07:59

p​o​w​e​r​e​d by O​S​Q​A