Hi, I am wanting to setup a remote interface as I am using an Aerohive Remote Sniffer http://boundless.aerohive.com/blog/innovative-wi-fi-how-to-do-packet-captures.html I have spent a while looking online and my understanding is that this feature is only implemented in Windows. I have been looking for a linux alternative but everything I find seems to be about piping the network traffic from another unix machine to a local machine over ssh. I was just wondering if there are any linux alternatives to the wireshark remote interface feature. Thanks for your time asked 22 Sep '16, 23:40  roy_muzz |
One Answer:
Wireshark on Linux does not support the rpcap method. Capturing over an encrypted SSH session is the way to go for Linux. On older versions of Wireshark, your only method for remote live captures is a pipe from stdin (with the limitation that you have to restart Wireshark every time you want to restart your capture). Quite inconvenient, but here are two examples (see manual pages for explanation of options: dumpcap, wireshark, tcpdump): Typically dumpcap is installed with extra capabilities (see CaptureSetup/CapturePrivileges), so no root is needed. For tcpdump you might have to configure a password-less sudo (edit with Newer versions of Wireshark (since 2.2) however have the "Extcap" mechanism. If you have dumpcap installed on the remote server, you can configure the "sshdump" interface in the interfaces list (set a user and host). Then you can capture from it as if it was a local one (behind the scenes it uses ssh + dumpcap). This mechanism can also be used for tcpdump, but answered 24 Sep '16, 02:29  Lekensteyn |
Not that currently sshdump doesn't work that well on Windows, see bug 12884.