1 | initial version |
I solve this problem with local storage for the historical data collection and then use ssh with dumpcap to bring across 802.11 data from a Linux capture host to other PCs (Windows/Mac/Linux) for realtime analysis. So I have the same requirement as you, but I don't need this particular solution. I much prefer the local storage option as there are fewer moving parts - when the Linux capture system boots, it automatically starts the ring buffer with no human intervention, or even a network that is up, let alone other hosts that need to collect the traffic.
If you feel you need to bring across the data for remote storage and realtime analysis, you can try the pee
command in Linux (part of moreutils package). Something like this works to send the stream from a Linux capture system to a Macbook:
ssh sniff@remotesniffer "/usr/bin/dumpcap -i wlan1 -P -w - "| pee "wireshark -k -i -" "tshark -i -"
I don't know what will happen if, for instance, you shutdown Wireshark - you may not be able to restart it without bringing down the whole chain, which will defeat the purpose.
2 | No.2 Revision |
I solve this problem with local storage for the historical data collection and then use ssh with dumpcap to bring across 802.11 data from a Linux capture host to other PCs (Windows/Mac/Linux) for realtime analysis. So I have the same requirement as you, but I don't need this particular solution. I much prefer the local storage option as there are fewer moving parts - when the Linux capture system boots, it automatically starts the ring buffer with no human intervention, or even a network that is up, let alone other hosts that need to collect the traffic.
If you feel you need to bring across the data for remote storage and realtime analysis, you can try the pee
command in Linux Linux/MacOS (part of moreutils package). Something like this works to send the stream from a Linux capture system to a Macbook:
ssh sniff@remotesniffer "/usr/bin/dumpcap -i wlan1 -P -w - "| pee "wireshark -k -i -" "tshark -i -"
I don't know what will happen if, for instance, you shutdown Wireshark - you may not be able to restart it without bringing down the whole chain, which will defeat the purpose.