Wireshark isn't letting me change the parameters I specified for sshdump

2021-03-09 19:48:28

Katerina

2021-03-10 08:38:08

Guy Harris

trying to run pcap remote and need to run wireshark in sshdump mode. I don't see it as an option in the filters, but if i search for it while having opened wireshark, i see it under applications. how do i activate it to run?

i also need to be able to run pcap remote to capture traffic between a smartphone and a printer. would i install pcap remote on my phone and run wireshark on my computer and capture a .pcap file or how would i do it? (i have a problem with wireshark not being able to capture packets betwee my smartphone and my wifi printer when my smartphone is running android 11; that problem didn't exist when the phone is running android 10).

thanks in advance!

I think you're confusing two things; pcap remote capture which uses its own protocol and requires a rpcap server to be running on the target and capture over an ssh tunnel using a utility such as sshdump which requires an ssh server on the target and the ability to run a capture utility, e.g. tcpdump on the target.

So which do you want to do?

grahamb ( 2021-03-09 20:13:52 +0000 )

I don't see it as an option in the filters

What do you mean by "in the filters"? sshdump is an external capture program ("extcap"), so it should show up in the list of network interfaces on the startup page and in the Capture > Options dialog.

Guy Harris ( 2021-03-09 23:52:25 +0000 )

I did misspeak. Let me explain what i did: i put pcap remote on my phone. I run it using the ssh option. I start the sshdump interface under the Wireshark on my computer (I did find it towards the bottom). It originally asked me to enter the IP address and port that my pcap was showing. I did. Then it gave me an error that it can't connect. I can't find a way to call that sshdump interface options window from wireshark and alter what is in there (maybe add the key file). So I am stuck. Wireshark's error message closes wireshark and i can't see the pcap remote captures on my computer.

Katerina ( 2021-03-10 00:03:18 +0000 )

i put pcap remote on my phone.

Not everybody here has heard of "pcap remote"; it's best not to assume that everybody who might answer your question is familiar with all of the tools and terminology you're using.

There's a "pcap remote" that runs on Android; is that the "pcap remote" to which you're referring?

I can't find a way to call that sshdump interface options window from wireshark and alter what is in there

This is, I think, a bug in the extcap support in Wireshark. Please file a bug report on it at the Wireshark issue list.

Guy Harris ( 2021-03-10 08:37:28 +0000 )

Presumably you're doing something like this where the Android app is named PCAP Remote (which is unfortunate as that's confusing with rpcap, Remote Pcap) that offers of an SSH server for Wireshark to connect to.

If so, then you're definitely interested in sshdump.

grahamb ( 2021-03-10 08:40:22 +0000 )

2021-03-10 08:46:50

grahamb

If you can see the "SSH remote capture" interface in the Capture interface list, you should be able to modify the connection settings by clicking the settings icon to the left of it (looks like a cog).

found it, it worked. THANK You.

Katerina ( 2021-03-10 15:05:49 +0000 )

