This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

problem capturing remotely by running tshark on the remote machine and piping it to Wireshark

0

I am having a few problems running tshark via ssh


SSH host

# uname -rpo
FreeBSD 10.1-RC1 amd64
# tshark -v
TShark 1.12.1 (Git Rev Unknown from unknown)
# cat /etc/resolv.conf
nameserver 127.0.0.1
options edns0

Client

$ tshark -v
TShark (Wireshark) 1.99.0-2027-g9c1225f (v1.99.0-rc1-2027-g9c1225f from unknown)
$ sw_vers
ProductName:    Mac OS X
ProductVersion: 10.10
BuildVersion:   14A379a

Connect

$ ssh server1 'tshark -f "port not 22" -w -' | wireshark -k -i -
adns: /etc/resolv.conf:2: unknown option `edns0'
Capturing on 're0'
FIX: packet list heading menu sensitivity
FIX: packet list heading menu sensitivity
FIX: packet list heading menu sensitivity

alt text

asked 06 Oct '14, 08:45

denji's gravatar image

denji
16115
accept rate: 0%

edited 06 Oct '14, 16:27

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


One Answer:

2

TShark 1.12.x, by default, doesn't write libpcap format with -w, it writes pcap-ng format, and dumpcap (which is what Wireshark uses to do capturing) ONLY reads libpcap format.

If you want to use TShark to capture on the server, you'd need to do tshark -F pcap -f "port not 22" -w -.

However, in your example, there is no good reason to use TShark; dumpcap would do better, and tcpdump would probably do even better:

ssh server1 'tcpdump -w - port not 22' | wireshark -k -i -

Furthermore, as your server is running FreeBSD 10, its tcpdump supports the -U flag, which causes the standard output buffers to be flushed after each packet batch, so the entire packet batch gets written to the standard output at that point rather than part of the last packet being written only when the next packet is seen, so you probably want to do

ssh server1 'tcpdump -U -w - port not 22' | wireshark -k -i -

(Note that -U should not be used if the remote machine's tcpdump is earlier than tcpdump 3.8 or if the libpcap is uses is earlier than libpcap 0.8; this means you will probably be able to use it on most machines these days.)

answered 06 Oct '14, 15:17

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%