This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Remote capture on linux

0

Hi all, i have one question regarding remote capture. I am asking it here so that anyone else can also get the relevant discussions.

My question is that why the wireshark versions for linux platform don't have the option "Remote interface" in Options menu like windows?

  1. Can we enable it by changing configure file during installation?
  2. Will it work as similar as of wireshark versions available for windows?
  3. Is it unavailable as we can capture packets of remote linux machine from host linux machine using ssh tunnel with pipe?

Please answer me.

Thanks in advance!

asked 23 Jul '13, 09:15

baila's gravatar image

baila
21101115
accept rate: 0%

converted 23 Jul '13, 09:54

grahamb's gravatar image

grahamb ♦
19.8k330206

I've converted your comment on another question to its own question, each question should remain distinct.

(23 Jul '13, 09:55) grahamb ♦

Thanks grahamb. Actually previously one of my question was closed stating as duplicate, so i felt safe to continue this discussion there. Thanks a lot for your concern.

(23 Jul '13, 10:44) baila

One Answer:

3

My question is that why the wireshark versions for linux platform don't have the option "Remote interface" in Options menu like windows?

Because the libpcap version for the Linux platform doesn't have the APIs to support remote packet capture.

Can we enable it by changing configure file during installation?

No.

You could enable it by hacking libpcap to support remote packet capture, installing your modified version of libpcap, and building Wireshark with the new version of libpcap, although you might have to hack Wireshark to recognize that your version of libpcap supports remote packet capture.

At some point in the future libpcap for non-Windows platforms might support remote packet capture, in which case Wireshark would be modified to support that.

answered 23 Jul '13, 18:53

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks Guy for your answer. Let me try that thing. Hope that it would work!

(23 Jul '13, 23:14) baila

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(23 Jul '13, 23:18) grahamb ♦

hi Guy, i have tried the remote capture using ssh tunnel as per the instructions follows :

  1. mkfifo /tmp/packet_capture
  2. ssh hostname_or_ip_of_remote_pc "tcpdump -s 0 -U -n -w - -i eth0 not port 22" > /tmp/packet_capture
  3. wireshark -k -i /tmp/packet_capture

but during 2nd step, sometimes the password authentication is not coming and it is just paused. Am i doing anything wrong? Without that " > /tmp/packet_capture", its all working fine.

Thanks in advance.

(24 Jul '13, 05:42) baila

hi all, please share if you have any update on this issue.

Thanks.

(25 Jul '13, 00:42) baila

Baila, the reason why it "pauses" during step two is because it's waiting for you to type in the command (on a separate terminal) for step three. At that point go back to the terminal for step two and it should prompt you for the password.

(14 Sep '13, 15:06) Marikawn