This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Remote capture via ssh and pipe

0
1

Hello Everyone,

i have a new configuration where i try to capture my linux machines and display the traffic with wireshark on windows. On windows i'm using cygwin to receive the data from my linux machines via ssh

$ mkfifo /tmp/capture_1
$ ssh [email protected] "tcpdump -s0 -U -n -w - -i eth0 'not port 22'" > /tmp/capture_1

So far everything is working quite well. My problem occurs when i try to capture the pipe. When i try to capture in the same manner on ubuntu everything works well.

asked 07 Aug '13, 06:54

ALKA's gravatar image

ALKA
6124
accept rate: 0%

converted to question 07 Aug '13, 08:42

grahamb's gravatar image

grahamb ♦
19.8k330206

I presume you're using a regular windows version of Wireshark, not some unknown Cygwin version. If so, are Cygwin pipes compatible with Windows programs?

(07 Aug '13, 08:43) grahamb ♦

One Answer:

3

Please use plink on windows and pipe the binary output of tcpdump directly to Wireshark, instead of trying to create named pipes with Cygwin (as it looks like in your example).

plink.exe -ssh -pw abc123 [email protected] "tcpdump -ni eth0 -s 0 -w - not port 22" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i -

Regards
Kurt

answered 08 Aug '13, 07:12

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks a lot!

The named pipes in cygwin were the problem. plink works fine

(12 Aug '13, 02:08) ALKA