Ask Your Question
0

How do I use SSH Remote Capture in Wireshark

asked 2018-04-11 15:42:51 +0000

MiniMe gravatar image

I am using Wireshark 2.4.6 portable (downloaded from this site) and I am trying to configure the remote capture I am not clear on what I should use in the remote capture command line. What should I put there?

There is a help for this but it refers to the CLI option https://www.wireshark.org/docs/man-pa...

On the above page they say that using that sshdump CLI is the equivalent of this Unix CLI

ssh [email protected] -p 22222 'tcpdump -U -i IFACE -w -' > FILE & $ wireshark FILE w

image description

edit retag flag offensive close merge delete

Comments

I filled out this form when I saw "SSH" option and now I can't edit this capture inerface. It just keeps going back to the same connection. Have you figured out how to use and edit this interface?

The documentation seems out of date for 2.61.

benjamin gravatar imagebenjamin ( 2018-06-07 15:16:25 +0000 )edit

The sshdump manpage is for the extcap binary that is used to make the ssh connection from Wireshark. Normally you won't need to look at that. The above dialog is the UI provided by the extcap and sshdump interface. I think the Remote Capture Command should be the full path to the binary you wish to use on the remote machine, e.g. /usr/sbin/tcpdump.

grahamb gravatar imagegrahamb ( 2018-06-07 16:42:29 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-10-24 11:08:41 +0000

LeSpocky gravatar image

With Wireshark v2.6.3 on Debian GNU/Linux 9 (stretch) I got it to run with the following content for the "Remote capture command" input field:

/usr/sbin/tcpdump -i eth0 -U -w - 'not (host 192.168.10.62 and port 22)'

I had to use the full path to tcpdump on the target, otherwise it was not found. The content of the fields "Remote interface" and "Remote capture filter" were ignored, so I also put those in the "Remote capture command" field. Note the quotes around the filter expression!

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2018-04-11 15:42:51 +0000

Seen: 2,249 times

Last updated: Oct 24