Wireshark capture remotely

Capture Traffic from headless Linux server with Wireshark on OSX

Linux includes a number of tools for capturing network traffic from the console, however in many circumstances it is much more convenient to use the Wireshark GUI on a remote management station.  In this case, raw pcap packets can be sent over an ssh tunnel and written to a 'fifo' file on the management station.  The fifo is added to the local interface list in Wireshark.

Create the fifo interface

The fifo interface is added to Wireshark in the Manage Interfaces dialogue, which is accessed from the Capture Options dialogue.

In the Manage Interfaces dialogue:

Select the pipes tab and click the New button.

Enter a name for the pipe then click the Browse button.

Browse to a suitable folder (/tmp) and enter a name for the capture file (remote).

e.g. pipe:/tmp/remote/

Select the pipe as the local interface and start the capture in the normal way

Wireshark will open a capture window while it waits for traffic to appear in the pipe.

Capture remotely over SSH

Verify that tcpdump is installed on the remote system.  It is also possible to use tshark or some other tool which is able to dump raw pcap data.

Start capturing the traffic on the remote system, taking care to exclude the tunnel traffic with a tcpdump filter.

To start capturing SMTP traffic you would use the following command from the management station

ssh -p22 root@target.net "tcpdump -iem1 -s0 -U -n -w - not port 22 and port 25" > /tmp/remote

Restarting a Capture

The capture session is stopped either when the SSH session is closed with ctrl+c or the Wireshark capture session it stopped or restarted.  In both these cases it is necessary to start a new capture and then start the remote capture session over a fresh ssh tunnel.