How to Capture Remote System network traffic?

S

2

7

I have been using wire-shark to analyse the packets of socket programs, Now i want to see the traffic of other hosts traffic, as i found that i need to use monitor mode that is only supported in Linux platform, so i tried but i couldn't capture any packets that is transferred in my network, listing as 0 packets captured.

Scenario:

I'm having a network consisting of 50+ hosts (all are powered by windows Except mine), my IP address is 192.168.1.10, when i initiate a communication between any 192.168.1.xx it showing the captured traffic. But my requirement is to monitor the traffic of 192.168.1.21 b/w 192.168.1.22 from my host i,e. from 192.168.1.10.

1: is it possible to capture the traffic as i mentioned?

2: If it is possible then is wire-shark is right tool for it (or should i have to use differnt one)?

3: if it is not possible, then why?

Stefanistefania answered 25/10, 2013 at 19:25 Comment(0)

S

2

You are connected to a switch which is "switching" traffic. It bases the traffic you see on your mac address. It will NOT send you traffic that is not destined to your mac address. If you want to monitor all the traffic you need to configure your switch to use a "port mirror" and plug your sniffer into that port. There is no software that you can install on your machine that will circumvent the way network switching works.

http://en.wikipedia.org/wiki/Port_mirroring

Stuffed answered 25/10, 2013 at 20:25 Comment(0)

N

10

Just adapt this a bit with your own filters and ips : (on local host)

ssh -l root <REMOTE HOST> tshark -w - not tcp port 22 | wireshark -k -i -

or using bash :

wireshark -k -i <(ssh -l root <REMOTE HOST> tshark -w - not tcp port 22)

You can use tcpdump instead of tshark if needed :

ssh -l root <REMOTE HOST> tcpdump -U -s0 -w - -i eth0 'port 22' |
     wireshark -k -i -

Nonresistant answered 25/10, 2013 at 19:29 Comment(6)

does this command to work do i need to install wireshark on those two hosts. – Stefanistefania 25/10, 2013 at 19:33

Wireshark on local host and tshark on the remote one – Panther 25/10, 2013 at 19:34

I don't have any possibilities to access those hosts to and install tshark or any other tools. is there any other ways. – Stefanistefania 25/10, 2013 at 19:37

tcpdump is maybe there, no ? If you need to see network traffic, you need at least one pcap capable tool. – Panther 25/10, 2013 at 19:40

i've installed the Linux to my host, but the other hosts are on windows, so is there better way to sniff traffic b/w those two hosts since windows is more vulnerable. – Stefanistefania 25/10, 2013 at 19:48

This is wonderful. I was in the old-school habit of capturing large blocks of packets and then feeding them to Wireshark. Or just using tcpdump on the collecting host to get real-time output. But being able to do it remote and real time is great! – Maryellen 11/9, 2014 at 16:17

S

2

You are connected to a switch which is "switching" traffic. It bases the traffic you see on your mac address. It will NOT send you traffic that is not destined to your mac address. If you want to monitor all the traffic you need to configure your switch to use a "port mirror" and plug your sniffer into that port. There is no software that you can install on your machine that will circumvent the way network switching works.

http://en.wikipedia.org/wiki/Port_mirroring

Stuffed answered 25/10, 2013 at 20:25 Comment(0)

Recommended topics

Hot tags