I'm trying to set up a remote capture from a debian box to wireshark running on windows. I'm using the following command: Which throws an error on wireshark startup as a popup window saying No Packets captured! As no data was captured, closing the temporary capture file And another popup saying: The second sentence translates roughly as: Operation completed succesfully. To test that this is not an issue with my ssh connection, i tried piping from tshark to wireshark locally using which leads to the same errors. Any suggestions? Edit: Just updated to Wireshark 1.12.0 everything still the same asked 01 Aug '14, 02:04  pguetschow edited 01 Aug '14, 02:05 |
One Answer:
Wireshark can't read pcap-ng (default output format of tshark) from STDIN. please try this:
or
Regards answered 01 Aug '14, 02:14  Kurt Knochner ♦ showing 5 of 6 show 1 more comments |
Thanks, this works for the local variant.
When piping from plink I get an error about "pcap" not being a supported format. choosing libpcap leads to the same behavior as before. Is libpcap a different format and my version of tshark just doesn't know about pcap?
it's the same. Your tshark version on Debian is just different than on Windows (there was a rename of the option).
Thanks for the help so far. Do you have any ideas what could cause the the problem when tunneling via ssh? Or is that outside of the scope of AskWireshark?
What is the version of the remote copy of tshark?
Tshark 1.8.2
Please try it with tcpdump