How do I use SSH Remote Capture in Wireshark
You just have to configure the SSH settings in that window to get Wireshark to log in and run tcpdump.
You can leave the capture command empty and it will capture on eth0
. You'd only want to change it if you have specific requirements (like if you need to specify an interface name).
You might want to set the capture filter to not ((host x.x.x.x) and port 22)
(replacing x.x.x.x with your own ip address) so the screen doesn't get flooded with its own SSH traffic.
MiniMe
Updated on July 28, 2022Comments
-
MiniMe over 1 year
I am using Wireshark 2.4.6 portable (downloaded from their site) and I am trying to configure the remote capture I am not clear on what I should use in the remote capture command line.
There is a help for this but it refers to the CLI option https://www.wireshark.org/docs/man-pages/sshdump.html
On the above page they say that using that sshdump CLI is the equivalent of this Unix CLI
ssh remoteuser@remotehost -p 22222 'tcpdump -U -i IFACE -w -' > FILE & $ wireshark FILE w
-
gorzilla over 4 yearsYou mean on the remote machine? It uses sudo (if you tick that box). Obviously the remote user needs permissions to capture traffic. The machine running Wireshark doesn't need special permissions though.
-
MiniMe over 4 yearsthere are other things needed, ex the user must be in the sudoers list and then wireshark has some restrictions and it can't be used in user mode unless certain things are done if I remember correctly. Bottom line it does not work out of the box if you are not root
-
Feras over 1 yearThis answer worked like charm, thanks