This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Pipe tcpdump from two machines to wireshark in my local machine

0

Hi
My computer is running on windows 7. I need to do tcpdump on two different linux machines (machine2 and 3) that are only accessible from another linux machine (machine1) which is the only one I have access to, then pipe both of them results to my laptop to one instance of wireshark. Is this possible to be done?. Or at least to only one machine? If this is possible could you please explain to me how can this be done, or any alternative. In summary

client(windows-wireshark) -> linux(machine1) -> linux(machine2-tcpdump)    
                                             -> linux(machine3-tcpdump)

Thanks in advance.

asked 14 May '16, 19:21

Carlos%20Lopez's gravatar image

Carlos Lopez
6225
accept rate: 0%

edited 15 May '16, 06:19

There are actually several things to deal with. If you need live captures, your main issue will be to make Wireshark capture from two pipes simultaneously. If you don't need live captures, it should be enough to save the capture output to files on the source machines, download the files, and merge them together on your Windows machine.

You may want to use the tunnelling capability of ssh to deliver the captured data from machines 2 and 3 to your Windows PC; if you have root rights at 2 and 3, you can make their local tcp port represent one at your PC, so whatever you send to localhost:X at machine2 will come to localhost:Y at your PC.

If you need more information, please specify more details about the whole arrangement.

(15 May '16, 02:15) sindy

Sindy.
Yes I need live captures of the two machines simultaneously (if possible) to be seen on my local machine on one instance of wireshark. I have root rights on machines 1, 2 and 3. Can you help me to set up the tunneling to achieve this?. I have used plink before to do this but only towards machine1, but now I need it towards 2,3 but the only access I have to reach 2 and 3 is through machine 1.
Thanks.

(15 May '16, 06:26) Carlos Lopez

Do I get you right that you have already been using plink to capture remotely on a single linux machine and feed the output to Wireshark running on a Windows machine? So this part would be out of question? If so, were you also using a named pipe on Windows as part of that arrangement?

(15 May '16, 07:08) sindy

That is correct.
This is what I have in a .bat file

cd c:\

"Program Files (x86)/PuTTY/plink.exe" -ssh -pw root [email protected] "tcpdump -i eth1 -s 0 -U -n -w - 'tcp port not 22'" | "/wireshark/wireshark.exe" -k -i -

where 10.10.10.1 is machine 1

The previous .bat file opens wireshark and after a few seconds I can see the packets being captured. What I need is through machine1 do something similar towards 2 and 3.
192.168.0.2 is machine2 192.168.0.3 is machine3 Thanks

(15 May '16, 10:05) Carlos Lopez

One Answer:

0

Okay, so we have two points to address:

  • how to make plink reach machine 2 (3) via machine 1,

  • how to make Wireshark capture from two queues simultaneously.

The first one is easy: you use one instance of plink to log in to machine1 and set up a tunnel through that ssh session from your Windows machine's local tcp port to machine2's tcp port 22 the following way:

start "c:\Program Files (x86)\PuTTY\plink.exe" -ssh [email protected] -pw machine1_root_pwd -L 20022:machine2s_IP:22

machine2s_IP is the IP address of machine2 which machine1 can access.

This will open a new command line window for that instance of plink but won't prevent the script from continuing further. You can get rid of that extra window by using a /B option to the start command but I'd recommend you to do that only after you debug the whole solution.

On the next line of the batch, you start the plink as you did, except that you specify the socket on your local machine as the server:

"c:\Program Files (x86)\PuTTY\plink.exe" -ssh [email protected] -P 20022 -pw mchn2_root_pwd "tcpdump -i eth1 -s 0 -U -n -w - 'tcp port not 22'" | wireshark ...

The second part is a bit of a headache. I've asked you on purpose whether you've already used a named pipe. The trouble is that you cannot feed Wireshark with two distinct streams through the (single) standard input (using -i -, you tell Wireshark to read the capture from standard input rather than a physical interface), so you'd have to use two distinct named pipes.

But while on linux it is possible to create and feed a named pipe from the command line, it seems not to be the case at Windows, so unless you'll find a ready-made solution, you'll need to write a piece of code in order to be able to set up the named pipes and feed them with the data output by the plink. So your command line options to Wireshark would be -k -i \\.\pipe\from-machine-2 -i \\.\pipe\from-machine-3, and you would have to start Wireshark with these options only as late as when both pipes have already come into existence. To make things more complex, the -k is necessary; if you omit it and then start the capture manually in the Wireshark window, it fails. Some suggestions can be found at the Wireshark wiki on pipes. I use perl for the purpose, but I don't have a piece of code which would copy its standard input to the named queue and act as a buffer to temporarily store the input data as they arrive until Wireshark starts reading them.

So instead of using | to pipe plink's output straight to the standard input of Wireshark, you have to pipe it to that code:

start "c:\Program Files (x86)\PuTTY\plink.exe" -ssh [email protected] -P 20022 -pw mchn2_root_pwd "tcpdump -i eth1 -s 0 -U -n -w - 'tcp port not 22'" | your_pipe_writer from-machine-2

start "c:\Program Files (x86)\PuTTY\plink.exe" -ssh [email protected] -P 30022 -pw mchn3_root_pwd "tcpdump -i eth1 -s 0 -U -n -w - 'tcp port not 22'" | your_pipe_writer from-machine-3

And the last point is that despite what the Wiki says, Wireshark only accepts pcap (i.e. not pcapng) data format through stdin or named pipes, so depending on your tcpdump version, you may need to use the right option to make it output pcap. This excludes capturing on more than one interface by the same instance of tcpdump, i.e. in a generic case you'd need one tcpdump instance and named pipe per each source interface.

answered 15 May '16, 14:32

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

edited 15 May '16, 21:55

Thanks Sindy, I will read your answer carefully, and will try to put it into practice. I may come back if you don't mind with another question related to this. Thanks.

(16 May '16, 16:05) Carlos Lopez