Remote Packet Capture using Wireshark

0

Well The scenario is that I have a Windows machine(at home) and a Linux box running headless Ubuntu server(without GUI) on a remote location. I got Wireshark installed on my windows machine, and tcpdump installed on the remote linux box. Here is my question, Is there an easy way of capturing packets off of my linux box? I've been reading through some blog posts, didn't really find an easy way of configuring either tcpdump of Tshark so I could remotely monitor the network traffic. I also realized that it is easy to capture packets remotely off a remote windows machine with simple remoter interface configuration. I was wondering if there's a similar way so I could configure my remote located linux box to listen on port 2002 and start capturing remotely here in my windows mahcine? Any advice?

mehdix_

Posted 2014-06-14T04:57:40.190

Reputation: 251

Answers

-1

Install cygwin or better yet install Linux at home.
ssh root@remotelinuxbox.com "tcpdump -I eth0 | grep -v 'home ip address' "

Keep in mind that whatever solution requires that you do not log the packets to the logserver because that would make an infinite loop. trace a packet from node Z and then send packet trace to node L (LogServer). Send packet trace to node L. Send another packet trace of the packet trace sento node L.... ad infinitum.

If you have more than one network interface on RemoteLinux, then trace everything on one interface and send the packet traces out the other interface to your windows box.

rjt

Posted 2014-06-14T04:57:40.190

Reputation: 878

...you don't need Cygwin or Linux. Both are far overkill for just ssh - any native Windows ssh client will work. PuTTY and KiTTY are good for that. – Bob – 2014-06-14T06:59:09.330

Disagree. In fact, my answer can be copied and pasted into standard ssh. That cant be done with putty. I used putty for years and misunderstood ssh. After using real ssh clients, it was easier to learn. – rjt – 2014-06-14T07:09:00.473

Sure it can. If you intend to send the data back via stdout, then simply swap ssh for plink. Otherwise, if you want an interactive SSH shell, it's a trivial modification to save the output to a file and retrieve it later (append > capture.pcap, then SCP or FTP it back). – Bob – 2014-06-14T07:13:49.750

@Bob, Thank you for proving my point ... "Swap" means copy-n-paste will not work. – rjt – 2014-06-14T07:33:24.373

Arguing over semantics is pointless. Installing Cygwin or Linux isn't copying and pasting either. You can rename the plink binary if you want. In the end, it's the simpler solution, and the one last likely to have damaging side effects. – Bob – 2014-06-14T08:11:38.970

Incidentally, PuTTY implements the SSH standard just as well as any other client, and the standard" SSH client you refer to probably isn't the reference implementation anyway. Nor is any one more "real" than another. – Bob – 2014-06-14T08:16:30.900

@Bob well, he makes the point that for understanding ssh, cygwin or linux is better, one justification in saying that could be that cygwin or linux has sshd to go along with ssh. That said. Putty with something like WinSSHd is fine I suppose. Or WinSSHD and its associated client. – barlop – 2014-06-14T08:34:18.967

Asked: 2014-06-14T04:57:40.190

Viewed: 1 393 times

Active: 2014-06-14T06:53:54.033