This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

SSH Remote Capture TCPdump

0

Would be awesome if Wireshark had native/built-in SSH tunnel support for remote tcpdump packet capturing instead of having to use a third party SSH app and the limitations such as not being able to stop/restart a capture, and not being able to use the Wireshark GUI to set the capture filter.

Maybe have Wireshark be able to load plink.exe and use it as though it is it's natively built-in SSH tunnel app.

Instead of having to execute plink to set up the pipe to redirect Unix/Linux tcpdump into Wireshark. Have Wireshark handle the whole thing. Tell Wireshark what SSH app to use (plink.exe), provide credentials/key file for SSH access, the remote app to run (tcpdump), and configure the capture filter for tcpdump to use.

asked 12 Jan '17, 02:36

NOYB's gravatar image

NOYB
6224
accept rate: 0%


One Answer:

1

This is being worked in with the extcap utility sshdump which gives a pseudo-interface "SSH remote capture". I'm not sure of the state of this in the stable (2.2.x) releases but you can try a development release (2.3.x) from the automated builds site.

answered 12 Jan '17, 03:14

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%