This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I am wanting to setup a remote interface as I am using an Aerohive Remote Sniffer http://boundless.aerohive.com/blog/innovative-wi-fi-how-to-do-packet-captures.html

I have spent a while looking online and my understanding is that this feature is only implemented in Windows. I have been looking for a linux alternative but everything I find seems to be about piping the network traffic from another unix machine to a local machine over ssh.

I was just wondering if there are any linux alternatives to the wireshark remote interface feature.

Thanks for your time

asked 22 Sep '16, 23:40

roy_muzz's gravatar image

roy_muzz
6112
accept rate: 0%


Wireshark on Linux does not support the rpcap method. Capturing over an encrypted SSH session is the way to go for Linux.

On older versions of Wireshark, your only method for remote live captures is a pipe from stdin (with the limitation that you have to restart Wireshark every time you want to restart your capture). Quite inconvenient, but here are two examples (see manual pages for explanation of options: dumpcap, wireshark, tcpdump):

ssh [email protected] dumpcap -i eth0 -P -w - -f 'tcp port 80' | wireshark -i - -k -p
ssh [email protected] sudo tcpdump -Z user -i eth0 -p -U -w - 'tcp port 80' | wireshark -i - -k -p

Typically dumpcap is installed with extra capabilities (see CaptureSetup/CapturePrivileges), so no root is needed. For tcpdump you might have to configure a password-less sudo (edit with visudo -f /etc/sudoers/wireshark-tcpdump, add %wireshark ALL = NOPASSWD: /usr/sbin/tcpdump to allow everyone from the "wireshark" group use password-less sudo for just tcpdump).

Newer versions of Wireshark (since 2.2) however have the "Extcap" mechanism. If you have dumpcap installed on the remote server, you can configure the "sshdump" interface in the interfaces list (set a user and host). Then you can capture from it as if it was a local one (behind the scenes it uses ssh + dumpcap). This mechanism can also be used for tcpdump, but sshdump currently does not support it (see https://git.lekensteyn.nl/peter/wireshark-notes/tree/extcap/ssh-tcpdump for an alternative script).

permanent link

answered 24 Sep '16, 02:29

Lekensteyn's gravatar image

Lekensteyn
2.2k3724
accept rate: 30%

Not that currently sshdump doesn't work that well on Windows, see bug 12884.

(24 Sep '16, 05:01) grahamb ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×154
×26
×11

question asked: 22 Sep '16, 23:40

question was seen: 5,350 times

last updated: 24 Sep '16, 05:01

p​o​w​e​r​e​d by O​S​Q​A