How do I use SSH Remote Capture in Wireshark

10,030

You just have to configure the SSH settings in that window to get Wireshark to log in and run tcpdump.

You can leave the capture command empty and it will capture on eth0. You'd only want to change it if you have specific requirements (like if you need to specify an interface name).

You might want to set the capture filter to not ((host x.x.x.x) and port 22) (replacing x.x.x.x with your own ip address) so the screen doesn't get flooded with its own SSH traffic.

Share:
10,030
MiniMe
Author by

MiniMe

Updated on July 28, 2022

Comments

  • MiniMe
    MiniMe over 1 year

    I am using Wireshark 2.4.6 portable (downloaded from their site) and I am trying to configure the remote capture I am not clear on what I should use in the remote capture command line.

    There is a help for this but it refers to the CLI option https://www.wireshark.org/docs/man-pages/sshdump.html

    On the above page they say that using that sshdump CLI is the equivalent of this Unix CLI

    ssh remoteuser@remotehost -p 22222 'tcpdump -U -i IFACE -w -' > FILE & $ wireshark FILE  w
    

    enter image description here

  • gorzilla
    gorzilla over 4 years
    You mean on the remote machine? It uses sudo (if you tick that box). Obviously the remote user needs permissions to capture traffic. The machine running Wireshark doesn't need special permissions though.
  • MiniMe
    MiniMe over 4 years
    there are other things needed, ex the user must be in the sudoers list and then wireshark has some restrictions and it can't be used in user mode unless certain things are done if I remember correctly. Bottom line it does not work out of the box if you are not root
  • Feras
    Feras over 1 year
    This answer worked like charm, thanks