How can I set up remote capturing in Wireshark, capturing from a CentOS server on my Windows laptop?

2

I'm looking to capture packets from a remote server network interface. The remote server is running CentOS and has tshark installed. I'm working on a Windows 8 machine with Wireshark installed.

I've found this brief tutorial, but it's more for the home user. I've no UI on my server so I need to do all setup in the terminal over ssh. I also found this question, but id doesn't seem complete or correct.

I'm looking to capture all incoming data on a particular port, but I can figure that bit out easily enough. It's getting the capture itself working that's the main issue.

Also, does capturing remotely mean that the data won't be saved on the remote server itself? Or will it be saved on both my laptop and the server?

bot_bot

Posted 2016-04-21T08:57:17.850

Reputation: 211

Answers

1

you can capture several packet on remote server by tcpdump, saving it to local disk. then download saved dump to your computer through ssh/sftp/scp and then open downloaded file in wireshark.

first, you should install tcpdump: yum install -y tcpdump. after sucessfully install, you can start capture: tcpdump -с 10 -s 0 -w filename.dump -nnni any port 18123. this command will capture ten packets from or to port 18123 and save this packets to file filename.dump.

also, you can remove key -c 10 from tcpdump command line. in this case tcpdump will capture all data on port 18123, until ctrl-c pressed.

raven428

Posted 2016-04-21T08:57:17.850

Reputation: 100

I've already come to the same conclusion myself, and installed tcpdump. To get tcpdump to only save incoming packets do I change any to inbound in your example? – bot_bot – 2016-04-21T11:46:06.260

what does -nnni do? I can't see any reference to it in the tcpdump man pages – bot_bot – 2016-04-21T11:48:11.380

any - is parameter for command line switch -i. it accepts network interface name or any. if your server does not have interface inbound, you will get error. inbound packets could be filtered by replacing the filter part: port 18123. more details you can find in man pcap-filter. – raven428 – 2016-04-21T12:04:58.320

1"what does -nnni do?" The same thing that -ni does, because multiple n flags don't do anything different from one n flag. And what -ni does is the same thing that -n -i does, i.e. it turns off name resolution (which actually doesn't make a difference with -w, it only matters when dissecting packets, not when saving raw packets to a savefile) and uses the command line token after the flag as the name of the interface - "any" in this case. – None – 2016-04-21T21:09:55.600

Asked: 2016-04-21T08:57:17.850

Viewed: 5 418 times

Active: 2016-04-21T11:22:32.387