Ask Your Question

How do I use SSH Remote Capture in Wireshark

asked 2018-04-11 15:42:51 +0000

MiniMe gravatar image

I am using Wireshark 2.4.6 portable (downloaded from this site) and I am trying to configure the remote capture I am not clear on what I should use in the remote capture command line. What should I put there?

There is a help for this but it refers to the CLI option

On the above page they say that using that sshdump CLI is the equivalent of this Unix CLI

ssh [email protected] -p 22222 'tcpdump -U -i IFACE -w -' > FILE & $ wireshark FILE w

image description

edit retag flag offensive close merge delete


I filled out this form when I saw "SSH" option and now I can't edit this capture inerface. It just keeps going back to the same connection. Have you figured out how to use and edit this interface?

The documentation seems out of date for 2.61.

benjamin gravatar imagebenjamin ( 2018-06-07 15:16:25 +0000 )edit

The sshdump manpage is for the extcap binary that is used to make the ssh connection from Wireshark. Normally you won't need to look at that. The above dialog is the UI provided by the extcap and sshdump interface. I think the Remote Capture Command should be the full path to the binary you wish to use on the remote machine, e.g. /usr/sbin/tcpdump.

grahamb gravatar imagegrahamb ( 2018-06-07 16:42:29 +0000 )edit

@benjamin, I know this infinitely too late for you, but after stopping you pcap, save it if you wish, and then use the 'Close This Capture File' button to return to the main menu.

It's the 7th button from the left, it looks like a pcap icon with a large black cross through it.

SimpleOne gravatar imageSimpleOne ( 2020-07-25 08:52:34 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2018-10-24 11:08:41 +0000

With Wireshark v2.6.3 on Debian GNU/Linux 9 (stretch) I got it to run with the following content for the "Remote capture command" input field:

/usr/sbin/tcpdump -i eth0 -U -w - 'not (host and port 22)'

I had to use the full path to tcpdump on the target, otherwise it was not found. The content of the fields "Remote interface" and "Remote capture filter" were ignored, so I also put those in the "Remote capture command" field. Note the quotes around the filter expression!

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2018-04-11 15:42:51 +0000

Seen: 37,539 times

Last updated: Oct 24 '18