Ask Your Question
0

How can I limit packets size when I use SSH remote capture?

asked 2022-08-04 04:31:56 +0000

Sonic gravatar image

I'm using Wireshark under windows. And I need to capture packets from a Linux-based router.

How do I limit packet size when I use SSH remote capture?

in the capture option window, I can set a limit for other interfaces but not for SSH remote capture

screenshot: https://i.stack.imgur.com/G5iEB.png

Thanks!

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-08-04 06:37:32 +0000

Guy Harris gravatar image

in the capture option window, I can set a limit for other interfaces but not for SSH remote capture

"Other interfaces" presumably means "interfaces other than the ones that have 'remote capture' in their names"; there's no ability to limit the packet size for Cisco or UDP Listener capture, either.

Those three are called "extcaps" (for "external capture"), and they work differently from the other interfaces; the other interfaces use the de facto standard APII for capturing (libpcap), but the "extcaps" use a separate program from Wireshark (some of which, such as those, are shipped with Wireshark, but they can also be provided by third parties).

I'll have to check whether there's a way for an "extcap" to indicate that it directly supports a "snapshot length" parameter to limit the packet size, but, even if it does, none of those extcaps support it.

So that's the bad news.

The good news is that, if you capture from the main Wireshark window rather than the "Capture Options" window, there should be, for all extcaps, an icon to the left of the interface name that look ssort of like a gear. If you click on the icon for a particular interface, it should pop up a dialog window to let you set parameters for the interface.

For SSH remote capture, there are four "tabs" in the dialog. If you select the "Capture" dialog, one option is "remote capture command"; that option specifies a command to run on the remote machine to do the capturing. If it's not specified, Wireshark constructs a tcpdump command; if it is, Wireshark just uses the command you specify.

The command should be something such as

tcpdump -i <interface> -s <packet size limit> '<filter>'

where <interface> is the name of the interfaces on the Linux machine, <packet size limit> is the packet size limit you want, and <filter> (the quotes around it are not always required, but they might be, so it's probably a Good Idea to use them) is the capture filter you want (if you want all packets, leave the filter, and the quotes around it, out). If you don't want to capture in promiscuous mode, add -p before '<filter>'; if you don't want to capture more than some number of packets, add -c <packet count>, where <packet count> is the maximum number of packets, before '<filter>'.

And please file an issue about the inability to specify snapshot lengths to various extcaps on the Wireshark issue list.

edit flag offensive delete link more

Comments

Thank you very much! Harris! I typed this as remote capture command, it seems working well

/usr/sbin/tcpdump -i br-lan -s200 -U -w -
Sonic gravatar imageSonic ( 2022-08-04 08:34:57 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-08-04 04:31:56 +0000

Seen: 58 times

Last updated: Aug 04