Remote Ethernet Packet Capture with Wireshark and tshark over SSH

Wireshark is a powerful and popular packet capture and analysis suite that runs on Windows and most flavours of UNIX. Often one finds one's self in need of its GUI's abilities on remote, headless servers without X windows (and who wants to install X on a server if they don't have to?). One has three options: use a text/ncurses based packet capture system like ettercap to analyze the traffic on the server itself, save packet capture files and move them to your Wireshark host or pipe the output from tshark - Wireshark's text interface - to your client in real-time. The last option suits me best; I don't want to have to learn two packet capture suites if I can only use one and it is often useful to see the packets fly by as they come.

To compile Wireshark without the GUI, and therefore all of its X windows dependencies, on Gentoo:

# USE="-gtk" emerge wireshark

Or disable the GTK use flag in your /etc/make.conf.

The next step is to establish passwordless root ssh access to the target machine. This should only be temporary as it is best practice to disallow any form of remote login for the root user. Please read my previous article, Passwordless or Single Password SSH with Key Exchange but be sure to use a blank passphrase for your key and disregard the part about restricting root access. Once this has been completed and you are able to log in to the target server by simply typing ssh hostname you are ready to begin your packet capture.

On the client which runs the GUI version of Wireshark, open up a shell as root and run the following:

wireshark -k -i < ( ssh -l root xxx.xxx.xxx.xxx /usr/bin/tshark -i eth0 -w - )

Be sure to change the path to tshark if this does not reflect your installation. Adjust the interface (-i flag) to match your target.


Peter Valdemar Mørch

I think that should be

wireshark -k -i <( ssh -l root xxx.xxx.xxx.xxx /usr/bin/tshark -i eth0 -w - )

With no space between '<' and '('.

Thwarting the isc.org DNS DDoS | foxpa.ws

[...] whipped out wireshark and took a sample capture, these are the contents of a typical request [...]