 | 1 | initial version |
Currently dumpcap ignores remote capture filters
On Windows Ver 4.0.4, this appears to work for me for simple filters when I select the dumpcap radiobox. I tried to upload a screen capture but it fails for some reason. The profile preferences shows the config:
extcap.sshdump_exe.remoteinterface: enp13s0
extcap.sshdump_exe.remotecapturecommandselect: dumpcap
extcap.sshdump_exe.remotesudo: false
extcap.sshdump_exe.remotenoprom:false
extcap.sshdump_exe.remotefilter: arp or icmp
extcap.sshdump_exe.loglevel: message
This is the process I end up with on the Linux SSH server:
wsuser 465803 465802 TS 19 05:57 ? 00:00:00 dumpcap -i enp13s0 -w - -f arp or icmp
And indeed, I only see arp and icmp packets in the Wireshark GUI. Without the remote filter, more comes down.
tcpdump does not allow two interfaces to be specified
I have observed this, too.
"capture command" in "interface options: SSH remote capture"
I would suggest dumpcap directly in the remote capture command. Something like:
dumpcap -f "arp or icmp" -i enp13s0 -i wlp14s0 -w -
And the generated Linux process:
wsuser 474613 474612 0 06:12 ? 00:00:00 dumpcap -f arp or icmp -i enp13s0 -i wlp14s0 -w -