How do I use SSH Remote Capture in Wireshark

asked 2018-04-11 15:42:51 +0000

MiniMe gravatar image

I am using Wireshark 2.4.6 portable (downloaded from this site) and I am trying to configure the remote capture I am not clear on what I should use in the remote capture command line. What should I put there?

There is a help for this but it refers to the CLI option

On the above page they say that using that sshdump CLI is the equivalent of this Unix CLI

ssh [email protected] -p 22222 'tcpdump -U -i IFACE -w -' > FILE & $ wireshark FILE w

image description

edit retag flag offensive close merge delete


I filled out this form when I saw "SSH" option and now I can't edit this capture inerface. It just keeps going back to the same connection. Have you figured out how to use and edit this interface?

The documentation seems out of date for 2.61.

benjamin gravatar imagebenjamin ( 2018-06-07 15:16:25 +0000 )edit

The sshdump manpage is for the extcap binary that is used to make the ssh connection from Wireshark. Normally you won't need to look at that. The above dialog is the UI provided by the extcap and sshdump interface. I think the Remote Capture Command should be the full path to the binary you wish to use on the remote machine, e.g. /usr/sbin/tcpdump.

grahamb gravatar imagegrahamb ( 2018-06-07 16:42:29 +0000 )edit