This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

my ssh terminal hangs when I try remote capture on Linux.

0

I issue following commands:

1) mkfifo /tmp/pipe 2) ssh [email protected] "tcpdump -i em1 -s 0 -U -w - not port 22" > /tmp/pipe

strange thing is that when I tried it first time it worked fine. But when I tried it for second time my ssh terminal hangs when I issue second command.

(I also tried by restarting both the systems but I am having same problem)

Thanks in advance!

Regards, Ritwick

This question is marked "community wiki".

asked 30 Apr '13, 23:39

rkumar's gravatar image

rkumar
6114
accept rate: 0%

edited 06 Mar '14, 18:08

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142


One Answer:

2

Just tried myself on my MacBook remotely capturing from a linux VM in the datacenter and it works like a charm.

Although it's not really a wireshark issue (more an OS or SSH issue), could you help us help you by:

  • telling us what OS versions you use on both systems
  • telling us what you mean by "my ssh terminal hangs", it does show a blank screen until you actually start capturing from the pipe with a second terminal window.
  • trying to capture from the pipe in another terminal window with: "tshark -i /tmp/pipe". Does it work?
  • trying to split the problem, by first just piping the data to a normal file and read the file after quitting the ssh command. Does that work?

answered 01 May '13, 01:59

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

First of all thank you for your kind concern.

  • I am using fedora 18 on both systems.
  • It is not showing blank screen but The pointer on my terminal keeps blinking nothing happens next to that. As I press Clt+c it stops and everything gets normal.
  • trying to capture from the pipe in another terminal window with: "tshark -i /tmp/pipe" Can you please explain how I will do this. I am newbie sorry.
  • I tried piping the data to a normal file. It worked! but the format is not readable. I am pasting sample of it. (binary capture data deleted for readability)

JUST TO INFORM YOU "MY PURPOSE IS SOLVED" I TRIED OPENING THAT NORMAL FILE WITH Wireshark and I got what I was looking for !!!!

Thank you very much, Ritwick

(01 May '13, 05:28) rkumar

(I converted your "answer" to a "comment", that's the way this site works best, please see the FAQ)

OK, it is correct that your terminal window will stall, as ssh is running and there is no screen output (as that's redirected to the pipe). It is also normal that the output is binary, as it is pcap formatted data. So it looks all is fine and you are just missing the last step.

When you redirect the remote TCP dump data to the pipe, you make it available for reading from another process. You can open another terminal screen on the system on which you created the pipe and performed the SSH command.

In that window, use "wireshark -i /tmp/pipe -k" to start wireshark and capture live traffic over the SSH tunnel.

(01 May '13, 05:45) SYN-bit ♦♦

(If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.)

(01 May '13, 05:50) SYN-bit ♦♦

Using "wireshark -i /tmp/pipe -k" will not work because issue is partially solved because I am getting output on normal file(hello.txt) not on the file created by mkfifo (i.e mkfifo /tmp/pipe).

Why it is not working with FIFO special file created by mkfifo ?

(01 May '13, 06:17) rkumar

OK, can you try the following in two terminal windows:

terminal window 1:

mkfifo /tmp/pipe
ssh [email protected] "echo 'Hello world.'" > /tmp/pipe

terminal window 2:

cat /tmp/pipe

this should give you the output "Hello World." in terminal window 2 and should give you a prompt back in terminal window 1.

If that does not happen, then there is something wrong with the creation of the fifo. That would be something to ask on a fedora forum, instead of here.

If that does work as expected, could you post the exact commands that you tried in both terminal windows when you tried to get wireshark working over the SSH tunnel?

(01 May '13, 06:30) SYN-bit ♦♦

Dear friend, when I issue command "ssh [email protected] "echo 'Hello world.'" > /tmp/pipe"

I am facing same problem which I was facing earlier. It keeps blinking instead ok asking me for password of remote host(192.192.8.199)

(01 May '13, 06:51) rkumar

I just tried without SSH public/private keypairs (which make a password-less login possible). The password prompt only appears after you read from /tmp/pipe in the second terminal window.

So in my case, the procedure is:

  • mkfifo /tmp/pipe (in terminal window 1)
  • ssh [email protected] "echo 'Hello world.'" > /tmp/pipe (in terminal window 1)
  • cat /tmp/pipe (in terminal window 2)
  • Enter password at password prompt (in terminal window 1)
  • "Hello World!" appears (in terminal window 2)

Can you try this?

(01 May '13, 08:35) SYN-bit ♦♦

thanks buddy It worked!!!!

you are really very helpful :)

If you don't mind can you tell me why it is not prompting for password if we don't open FIFO special(pipe) file ?

Thanks, Ritwick

(01 May '13, 23:47) rkumar
showing 5 of 8 show 3 more comments