Ask Your Question
0

Problem trying to capture on a remote machine using ssh to run dumpcap on the remote machine

asked 2020-09-17 08:33:07 +0000

liaodalin19903 gravatar image

updated 2020-09-21 08:24:58 +0000

grahamb gravatar image

I followed the official documentation.

My remote-server is CentOS 7.9, and I have installed the wireshark in it.

I use the below command to open my local wireshark software to capture the remote-server's interface packet:

ssh root@remote-server-name 'dumpcap -w - -f "not port 22"' | wireshark -k -i -

but I get error information:

Capturing on 'nflog'
dumpcap: Invalid capture filter "not port 22" for interface nflog!

That string isn't a valid capture filter (NFLOG link-layer type filtering not implemented).
See the User's Guide for a description of the capture filter syntax.

and my local wireshark software displayed an error dialog with

End of file pipe magic during open.

I use the below command to special the interface:

ssh root@remote-server-name -i .ssh/id_rsa 'dumpcap -w - -f "not port 22"' | wireshark -k -i em1

but the wireshark says there is no such device, with an error dialog

The capture session could not be initiated
on interface 'em1' (No such device exists).

Please check that you have the proper
interface or pipe specified.

in my server there exist the em1 indeed.

[root@att ~]# ip a | grep em1
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet remote-ip/29 brd remote-ip scope global noprefixroute em1

EDIT-01

I print the interfaces:

$ ssh root@att -i .ssh/id_rsa 'dumpcap -D'
1. bridge0
2. docker0
3. nflog
4. nfqueue
5. em1
6. usbmon1
7. em2
8. veth8b8f97a
9. vethfe9fbcf
10. br-eb92c719d431
11. veth5587e98
12. any
13. lo (Loopback)
edit retag flag offensive close merge delete

Comments

Please post the full question here, otherwise it will be closed.

grahamb gravatar imagegrahamb ( 2020-09-17 08:55:59 +0000 )edit

...preferably with the Wireshark error message as text rather than a screenshot (the extra stuff in the picture doesn't add anything other than possibly a suggestion that the local machine might be a Mac, as the dialog looks Macish).

Guy Harris gravatar imageGuy Harris ( 2020-09-18 00:47:02 +0000 )edit

@grahamb I have updated my post with detail, please reopen it. thank you.

liaodalin19903 gravatar imageliaodalin19903 ( 2020-09-21 04:15:29 +0000 )edit

but I get error information: ``` Capturing on 'nflog' dumpcap: Invalid capture filter "not port 22" for interface nflog!

Dumpcap is trying to capture on the Linux "nflog" device, which isn't a regular network interface, and doesn't support normal capture filters such as "not port 22".

What does the command

ssh root@remote-server-name -i .ssh/id_rsa 'dumpcap -D'

print?

Guy Harris gravatar imageGuy Harris ( 2020-09-21 06:01:11 +0000 )edit

@GuyHarris Check my edit

liaodalin19903 gravatar imageliaodalin19903 ( 2020-09-21 06:21:19 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-09-21 17:00:26 +0000

Guy Harris gravatar image
dumpcap -w - -f "not port 22"

That will dump on the default device that libpcap supplies, although I'm surprised it's nflog rather than bridge0. In any case, it won't necessarily pick the device you want - you should use the -i flag to specify the device you want.

wireshark -k -i em1

As Jaap notes, that tells Wireshark on the local machine, not dumpcap on the remote machine, to capture on em1; your Mac doesn't have a device named em1, so it fails.

What you want is

ssh root@remote-server-name 'dumpcap -w - -i em1 -f "not port 22"' | wireshark -k -i -
edit flag offensive delete link more

Comments

thank you, this works.

liaodalin19903 gravatar imageliaodalin19903 ( 2020-09-22 10:36:28 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2020-09-17 08:33:07 +0000

Seen: 2,016 times

Last updated: Sep 21 '20