How do I use SSH Remote Capture in Wireshark

Asked 11/4, 2018 at 14:6 Answered 5/12, 2020 at 2:11

I am using Wireshark 2.4.6 portable (downloaded from their site) and I am trying to configure the remote capture I am not clear on what I should use in the remote capture command line.

There is a help for this but it refers to the CLI option https://www.wireshark.org/docs/man-pages/sshdump.html

On the above page they say that using that sshdump CLI is the equivalent of this Unix CLI

ssh remoteuser@remotehost -p 22222 'tcpdump -U -i IFACE -w -' > FILE & $ wireshark FILE  w

Fairbanks answered 11/4, 2018 at 14:6 Comment(0)

You just have to configure the SSH settings in that window to get Wireshark to log in and run tcpdump.

You can leave the capture command empty and it will capture on eth0. You'd only want to change it if you have specific requirements (like if you need to specify an interface name).

You might want to set the capture filter to not ((host x.x.x.x) and port 22) (replacing x.x.x.x with your own ip address) so the screen doesn't get flooded with its own SSH traffic.

Willywillynilly answered 27/6, 2019 at 15:30 Comment(2)

You mean on the remote machine? It uses sudo (if you tick that box). Obviously the remote user needs permissions to capture traffic. The machine running Wireshark doesn't need special permissions though. – Willywillynilly 29/6, 2019 at 21:35

there are other things needed, ex the user must be in the sudoers list and then wireshark has some restrictions and it can't be used in user mode unless certain things are done if I remember correctly. Bottom line it does not work out of the box if you are not root – Fairbanks 2/7, 2019 at 10:1

The following works as a remote capture command:

/usr/bin/dumpcap -i eth0 -q -f 'not port 22' -w -

Replace eth0 with the interface to capture traffic on and not port 22 with the remote capture filter remembering not to capture your own ssh traffic.

This assumes you have configured dumpcap on the remote host to run without requiring sudo.

The other capture fields appear to be ignored when a remote capture command is specified.

Tested with Ubuntu 20.04 (on both ends) with wireshark 3.2.3-1.

The default remote capture command appears to be tcpdump.

I have not found any documentation which explains how the GUI dialog options for remote ssh capture are translated to the remote host command.

Juliajulian answered 4/8, 2020 at 1:25 Comment(1)

This answer worked like charm, thanks – Salutation 6/5, 2022 at 11:16

Pertaining to sshdump, if you're having trouble finding the command via the commandline, note that it is not in the system path by default on all platforms.

For GNU/Linux (for example in my case, Ubuntu 20.04, wireshark v3.2.3) it was under /usr/lib/x86_64-linux-gnu/wireshark/extcap/.

If this is not the case on your system, it may be handy to ensure that mlocate is installed (sudo apt install mlocate) then use locate sshdump to find its path (you may find some other interesting tools tools in the same location - use man pages or --help to learn more).

Appetitive answered 5/12, 2020 at 2:11 Comment(0)

Recommended topics

Hot tags