Ask Your Question
0

Wireshark isn't letting me change the parameters I specified for sshdump

asked 2021-03-09 19:48:28 +0000

Katerina gravatar image

updated 2021-03-10 08:38:08 +0000

Guy Harris gravatar image

trying to run pcap remote and need to run wireshark in sshdump mode. I don't see it as an option in the filters, but if i search for it while having opened wireshark, i see it under applications. how do i activate it to run?

i also need to be able to run pcap remote to capture traffic between a smartphone and a printer. would i install pcap remote on my phone and run wireshark on my computer and capture a .pcap file or how would i do it? (i have a problem with wireshark not being able to capture packets betwee my smartphone and my wifi printer when my smartphone is running android 11; that problem didn't exist when the phone is running android 10).

thanks in advance!

edit retag flag offensive close merge delete

Comments

I think you're confusing two things; pcap remote capture which uses its own protocol and requires a rpcap server to be running on the target and capture over an ssh tunnel using a utility such as sshdump which requires an ssh server on the target and the ability to run a capture utility, e.g. tcpdump on the target.

So which do you want to do?

grahamb gravatar imagegrahamb ( 2021-03-09 20:13:52 +0000 )edit

I don't see it as an option in the filters

What do you mean by "in the filters"? sshdump is an external capture program ("extcap"), so it should show up in the list of network interfaces on the startup page and in the Capture > Options dialog.

Guy Harris gravatar imageGuy Harris ( 2021-03-09 23:52:25 +0000 )edit

I did misspeak. Let me explain what i did: i put pcap remote on my phone. I run it using the ssh option. I start the sshdump interface under the Wireshark on my computer (I did find it towards the bottom). It originally asked me to enter the IP address and port that my pcap was showing. I did. Then it gave me an error that it can't connect. I can't find a way to call that sshdump interface options window from wireshark and alter what is in there (maybe add the key file). So I am stuck. Wireshark's error message closes wireshark and i can't see the pcap remote captures on my computer.

Katerina gravatar imageKaterina ( 2021-03-10 00:03:18 +0000 )edit

i put pcap remote on my phone.

Not everybody here has heard of "pcap remote"; it's best not to assume that everybody who might answer your question is familiar with all of the tools and terminology you're using.

There's a "pcap remote" that runs on Android; is that the "pcap remote" to which you're referring?

I can't find a way to call that sshdump interface options window from wireshark and alter what is in there

This is, I think, a bug in the extcap support in Wireshark. Please file a bug report on it at the Wireshark issue list.

Guy Harris gravatar imageGuy Harris ( 2021-03-10 08:37:28 +0000 )edit

Presumably you're doing something like this where the Android app is named PCAP Remote (which is unfortunate as that's confusing with rpcap, Remote Pcap) that offers of an SSH server for Wireshark to connect to.

If so, then you're definitely interested in sshdump.

grahamb gravatar imagegrahamb ( 2021-03-10 08:40:22 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-03-10 08:46:50 +0000

grahamb gravatar image

If you can see the "SSH remote capture" interface in the Capture interface list, you should be able to modify the connection settings by clicking the settings icon to the left of it (looks like a cog).

edit flag offensive delete link more

Comments

found it, it worked. THANK You.

Katerina gravatar imageKaterina ( 2021-03-10 15:05:49 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-03-09 19:48:28 +0000

Seen: 167 times

Last updated: Mar 10