This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is is possible to capture TCP packets traveling between two remote systems that are not directed to the Wireshark host computer?

I need to intercept traffic between an old Redhat Linux 2.4 computer and a discontinued 20-year-old machine that is controlled via TCP/IP in order to analyze it's communication protocol so I can control it with a modern computer. All systems are connected via a legacy Netgear Hub. I am able to open a Telnet connection and capture packets between the Wireshark computer and the machine, but I cannot see any traffic traveling directly between the Redhat Linux computer and the machine.

The IP addresses are as follows:

Wireshark Computer (Windows 10) - 192.168.200.68

3rd Party Equipment (Not a Computer) - 192.168.200.63, 192.168.200.64, 192.168.200.65

Redhad Linux 2.4 Computer - Unknown, Probably something like 192.168.200.67

Is there a way to do this?

asked 19 Oct '17, 09:55

dcs's gravatar image

dcs
6223
accept rate: 0%


Capturing packets requires access to the physical connection the packets travel trough. They won't take a detour to your Wireshark PC, you have to put your Wireshark were they are visible. In your case the hub would be a perfect spot, but you need to be connected directly to it and it really needs to be a hub (some "hubs" are switches in reality, and you won't see the packets).

For more information on capture setups, check the following links:

https://wiki.wireshark.org/CaptureSetup/Ethernet

https://blog.packet-foo.com/2016/10/the-network-capture-playbook-part-1-ethernet-basics/

permanent link

answered 19 Oct '17, 10:15

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thanks for the quick answers.

To Jasper, I am connected to the Hub and I can intercept traffic if I communicated directly to the machine with the Wireshark Windows computer. The HUB is a real HUB, not a switch. I will review your links.

To Jaap, how do I learn about setting up the SSH connectin? This is a very old version of Redhat.

(19 Oct '17, 10:44) dcs

Your answer has been converted to a comment as that's how this site works. Please read the FAQ for more information.

(19 Oct '17, 23:30) Jaap ♦

Provided that:

  1. You have SSH access to the Redhat box
  2. There's tcpdump installed in that box

You can use the remote capture options of Wireshark, which allows you to capture traffic through an SSH tunnel.

permanent link

answered 19 Oct '17, 10:33

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×59

question asked: 19 Oct '17, 09:55

question was seen: 4,017 times

last updated: 19 Oct '17, 23:30

p​o​w​e​r​e​d by O​S​Q​A