Monitoring a remote network interface with tcpdump and Wireshark

In this small how-to, I’ll show how to capture network traffic from a remote system to analyze it using Wireshark.

All you need is tcpdump on the remote machine, where you want to dump the network traffic off and Wireshark on the computer, you want to use to look at the packets flying around.
I use this setup for checking, whats going on on my IPcop firewall.

First, you need to prepare a named pipe on you monitoring station:


mkfifo /tmp/pipe

After this, we build up the connection to the remote system, issue the tcpdump command there and direct all outputs to the pipe:


ssh root@10.1.1.254 "tcpdump -i eth0 -s 0 -U -w - not port 22" > /tmp/pipe

Now switch to another console and start Wireshark, listening to our newly created pipe:


wireshark -k -i /tmp/pipe

After Wireshark has started, the ssh console will ask for roots password. After you entered it, you will see the packets getting listed in Wiresharks main screen.

Used tcpdump options

  • -i eth0 specifies the interface to capture from (change to your needs)
  • -s 0 sets the packet snapshot lenght it to the default of 65535, for backwards compatibility with recent older versions of tcpdump
  • -U writes each incoming packet to the file (or std. out) immediately, instead of waiting until the buffer has filled
  • -w – writes to standard output
  • not port 22 keeps tcpdump from returning the traffic we create with our ssh connection

Further info
http://wiki.wireshark.org/CaptureSetup/Pipes
http://www.tcpdump.org/tcpdump_man.html

5 thoughts on “Monitoring a remote network interface with tcpdump and Wireshark

  1. hello,
    i tried to run it on my openwrt box, from ubuntu 10.10, but when i execute the command
    ssh root@192.168.1.1 -p 443 “tcpdump -i eth0 -s 0 -U -w – not port 443” > /tmp/pipe
    nothing happens (it should ask me the pw i suppose, but it doesn’t), it acts like if i didn’t press Return…
    the dropbear daemon is running on port 443 with pw login (no certificate)

    what’s wrong?

    1. Hi.
      Have you tried to log in via SSH without the tcpdump command?
      Just to make sure, that root login is enabled and that the root user may login with a password (Options “RootPasswordAuth” and “RootLogin” both set to 1 in the dropbear config).
      Best regards
      Looke

  2. No offense but your method did not work for me due to the fact that ‘>’ redirects the output of ssh’s login program to /tmp/pipe.

    Here’s what works for me:

    ssh root@host ‘tcpdump -i eth0 -w -‘ | wireshark -k -i –

    1. Hi zitstif.
      Thanks for your comment, none taken. As far as I know, the SSH password prompt doesn’t go to stdout (or even stderr), so it should not be affected of our redirection here. As soon as Wireshark reads from the named pipe, the console you issued the initial SSH command should present the password dialogue. But thanks for posting the cmd that works for you.
      Cheers, Looke

  3. what I get:

    Lua: Error during loading:
    [string “/usr/share/wireshark/init.lua”]:45: dofile has been disabled

Leave a Reply

Your email address will not be published. Required fields are marked *

*