51

I can sniff the traffic of my local pc but I would like to know how to I sniff the traffic of a remote machine by wireshark?

When in capture option I select remote interface and enter my remote ip show me error.code(10061). What should I do?

Journeyman Geek
  • 6,969
  • 3
  • 31
  • 49
aboutstudy
  • 957
  • 3
  • 10
  • 10
  • 5
    You can only sniff traffic that your network interface is seeing. If the network is switched packets to the remote machine will not be sent to you. BTW: try to improve your acceptance rate. – Matteo Feb 22 '12 at 06:23

8 Answers8

68

On Linux and OSX you can achieve this by running tcpdump over ssh and having wireshark listen on the pipe.

  1. Create a named pipe:

    $ mkfifo /tmp/remote

  2. Start wireshark from the command line

    $ wireshark -k -i /tmp/remote

  3. Run tcpdump over ssh on your remote machine and redirect the packets to the named pipe:

    $ ssh root@firewall "tcpdump -s 0 -U -n -w - -i eth0 not port 22" > /tmp/remote

Source: http://blog.nielshorn.net/2010/02/using-wireshark-with-remote-capturing/

konrad
  • 993
  • 7
  • 9
  • Is it possible to catch packets going through a router on the router itself this way, or is that something impossible? – inf3rno Jun 15 '17 at 22:41
  • This is great. My 2c: allowing [ssh root] is generally not advised, but you can temporarily toggle it on by adding root to the [Match User] line in /etc/ssh/sshd_config. – moodboom Jan 28 '18 at 17:03
  • This is not working for me, `ssh root@{MY_VPS_IP} -p 27922 "tcpdump -s 0 -U -n -w - -i eth0 not port 27922" > /tmp/remote` could you tell me why? – Phoenix May 09 '18 at 21:32
  • @infmo if the router can run tcpdump directly then yes it should be possible. Mine doesn't the space to install tcpdump. Not uncommon for low end routers. – wheredidthatnamecomefrom Sep 07 '18 at 15:10
37

I use this oneliner as root. Is very useful!

ssh root@sniff_server_ip -p port tcpdump -U -s0 'not port 22' -i eth0 -w - | wireshark -k -i -

The last - before de | is the redirection of that output and is used to standard input by wireshark. The -k option in wireshark means "start inmidiately sniffing

ctaglia
  • 471
  • 4
  • 3
  • 1
    Best first answer I have ever seen. – sjas Jan 31 '17 at 18:35
  • Had to modify the `tcpdump` a bit for running on OpenBSD since it lacks `-U` among other things: `tcpdump -s 65536 -i em0 -w - 'not port 22'` – pipe Apr 12 '20 at 14:56
  • Very nice command! Thank you. I can even capture canbus on an embedded linux with `sudo ssh root@ tcpdump -U -s0 -i can0 -w - | sudo wireshark -k -i -` – Mubin Icyer Nov 29 '20 at 20:08
11

One approach is to use what's called a mirror or span port on your switch. If your switch isn't inteligent enough you can also put a small hub inbetween the switch/host-to-capture connection. You connect a physical link from your listening host to that port/hub and then you can see all the traffic crossing the device. Alternatively, you'll need to install your packet capture software in a more strategic location in your network like a border firewall/router.

Mose
  • 654
  • 8
  • 15
dmourati
  • 24,720
  • 2
  • 40
  • 69
  • I have a more or less interesting problem which could be solved this way. Can you answer it? https://serverfault.com/questions/855245/catch-tcp-packets-with-router – inf3rno Jun 15 '17 at 22:43
6

You can use a file descriptor to connect to and receive the packets by ssh and pipe it to wireshark locally:

wireshark -i <(ssh root@firewall tcpdump -s 0 -U -n -w - -i eth0 not port 22)

You wireshark will open and show you the "Interface" like /dev/fd/63, which is the file descriptor containing data from the remote system.

SiLeX
  • 83
  • 1
  • 4
5

Under RHEL, konrad's answer didn't work for me because tcpdump requires root, and I only have sudo access. What did work was to create an extra remote fifo that I can read from:

remote:~$ mkfifo pcap
remote:~$ sudo tcpdump -s 0 -U -n -w - -i eth0 not port 22 > pcap

and send the data by a separate connection:

local:~$ mkfifo pcap
local:~$ ssh user@host "cat pcap" > pcap

and finally start Wireshark

local:~$ wireshark -k -i pcap
Dan
  • 186
  • 1
  • 4
1

see info on setting up the remote computer, to allow your local machine to connect and capture

http://wiki.wireshark.org/CaptureSetup/WinPcapRemote

Jacob
  • 11
  • 1
  • Whilst this may theoretically answer the question, [it would be preferable](http://meta.stackexchange.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – Scott Pack Oct 21 '12 at 02:57
1

In addition to previous answers, version with netcat nc might be useful as well:

Remote host:

mkfifo /tmp/mypcap.fifo

tcpdump -i em0 -s 0 -U -w - > /tmp/mypcap.fifo

nc -l 10000 < /tmp/mypcap.fifo

Local host:

wireshark -ki <(nc 192.168.1.1 10000)

Note about this method: It makes unsecure port open to all interfaces, so make sure to filter incoming connections with firewall rules.

fugitive
  • 125
  • 6
0

You can only sniff traffic that makes it to you. So Joe A going to Joe B never comes near your PC, so you can't see it.

Only way is for you to get to the traffic or get the traffic to you. To get to the traffic requires a connection to a router or good switch or hub somewhere in the middle of their connection. To get the traffic to you, you'll need to ARP poison some of the switches so they think your them.

Johnny
  • 19