Ask Your Question
0

How do I use SSH Remote Capture in Wireshark

asked 2018-04-11 15:42:51 +0000

MiniMe gravatar image

I am using Wireshark 2.4.6 portable (downloaded from this site) and I am trying to configure the remote capture I am not clear on what I should use in the remote capture command line. What should I put there?

There is a help for this but it refers to the CLI option https://www.wireshark.org/docs/man-pa...

On the above page they say that using that sshdump CLI is the equivalent of this Unix CLI

ssh remoteuser@remotehost -p 22222 'tcpdump -U -i IFACE -w -' > FILE & $ wireshark FILE w

image description

edit retag flag offensive close merge delete

Comments

I filled out this form when I saw "SSH" option and now I can't edit this capture inerface. It just keeps going back to the same connection. Have you figured out how to use and edit this interface?

The documentation seems out of date for 2.61.

benjamin gravatar imagebenjamin ( 2018-06-07 15:16:25 +0000 )edit

The sshdump manpage is for the extcap binary that is used to make the ssh connection from Wireshark. Normally you won't need to look at that. The above dialog is the UI provided by the extcap and sshdump interface. I think the Remote Capture Command should be the full path to the binary you wish to use on the remote machine, e.g. /usr/sbin/tcpdump.

grahamb gravatar imagegrahamb ( 2018-06-07 16:42:29 +0000 )edit

@benjamin, I know this infinitely too late for you, but after stopping you pcap, save it if you wish, and then use the 'Close This Capture File' button to return to the main menu.

It's the 7th button from the left, it looks like a pcap icon with a large black cross through it.

SimpleOne gravatar imageSimpleOne ( 2020-07-25 08:52:34 +0000 )edit
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2018-10-24 11:08:41 +0000

LeSpocky gravatar image

With Wireshark v2.6.3 on Debian GNU/Linux 9 (stretch) I got it to run with the following content for the "Remote capture command" input field:

/usr/sbin/tcpdump -i eth0 -U -w - 'not (host 192.168.10.62 and port 22)'

I had to use the full path to tcpdump on the target, otherwise it was not found. The content of the fields "Remote interface" and "Remote capture filter" were ignored, so I also put those in the "Remote capture command" field. Note the quotes around the filter expression!

edit flag offensive delete link more
add a comment
0

answered 2021-08-27 11:36:27 +0000

MikeB gravatar image

same as another commented... i know this is way late but might help someone else. I too struggled with the gui interface. i entered info, and the 'save parameters on capture start' check was ticked. afterwards i could never get back to that window to alter the settings

those settings are stored in help > about > folders > personal configuration

for me it was /home/username/.config/wireshark

its just a text file. i opened it up and stripped out prior settings like the hostname, username and interface name. closed and reopened wireshark, then tried to ssh remote capture and was greeted with the gui dialog to change settings again.

hope that helps

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

subscribe to rss feed

Stats

Asked: 2018-04-11 15:42:51 +0000

Seen: 60,056 times

Last updated: Oct 24 '18

Related questions

SSH remote capture private key can't connect

SSH Remote Capture Restart Error

Remote ssh capture does not work on Windows 10

Wireshark 2.4.1 GTK Crash on long run

SSH performance question

Computer compromised through Steam personal/financial information stolen HELP [closed]

After upgrade to version 2.6.1 remote capture no longer works.

Sniffing on Windows 10 machine from a remote Linux machine

remote interface problems

sshdump does not connect and provides no error