This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Piping remote tcpdump to local Wireshark no longer working

A couple days ago, this command was working:

ssh [email protected] 'ssh host2 "tcpdump -i bond1.800 -s0 -U -w - port 9990 or port 5060 or port 3868"' | wireshark -k -i -

I was able to open wireshark on my local machine with that command, and I was able to see the packets arriving in wireshark as the remote host was capturing them. Then I closed wireshark, which ended the command. I tried running the command again a second time (the exact same command) and it no longer worked. I've also tried rebooting my machine, but to no avail.

If I run it with "cat -" instead of wireshark, I see a constant stream of packets.

ssh [email protected] 'ssh host2 "tcpdump -i bond1.800 -s0 -U -w - port 9990 or port 5060 or port 3868"' | cat -

It will keep outputting the packets to my terminal until I end it with Ctrl C. But if I do it with wireshark, I get the following output:

ssh [email protected] 'ssh host2 "tcpdump -i bond1.800 -s0 -U -w - port 9990 or port 5060 or port 3868"' | wireshark -k -i -
Password:
tcpdump: listening on bond1.800, link-type EN10MB (Ethernet), capture size 65535 bytes
19 packets captured
19 packets received by filter
0 packets dropped by kernel

As you can see, only 19 packets came through before the trace mysteriously ended. Those packets were not displayed in wireshark.

My setup is a local Windows 7 laptop with Wireshark Version 2.2.4 (v2.2.4-0-gcc3dc1b), and I am running those commands in Cygwin. At the time that the command was working, I was also able to open wireshark to watch packets from another remote host, with this command:

ssh -C [email protected] 'tcpdump -i bond0 -i eth2 -i eth3 -i eth4 -i eth5 -i eth6 -i eth7 -s0 -U -w - port 5060 or port 3868' | wireshark -k -i -

I don't think all of the interfaces were working (it might have just been capturing on eth7), but it was capturing packets and displaying them in wireshark on my local machine. That one also stopped working at the same time. I didn't change any parameters in wireshark, or install any different packages. Everything stayed the same from the working iteration to the failing iteration.

Any help in diagnosing this issue is greatly appreciated.

pipe tcpdump cygwin wireshark

asked 10 Feb '17, 08:00

Lemurshark
26●5●6●9
accept rate: 0%

I don't have an answer for you, as this always worked for me in my testing, but something to check - is tcpdump still running on the remote host? Only when I logged into the remote host and manually killed tcpdump, then I saw the capture summary information; otherwise I'd never see. Also, as far as I know, tcpdump only accepts a single interface for its -i option, so if you specify more than one, only the last one will be the active interface upon which it captures.

(10 Feb '17, 13:15) cmaynard ♦♦