Ask Your Question
0

How to clear packet list during live capture?

asked 2023-01-13 18:07:37 +0000

How do I clear the Packet List during a live capture session? The Stop/Start and Restart options do not work for me because I am capturing packets that are piped back to WireShark via SSH.

ssh myserver "sudo tcpdump -i mynetworkinterface -w -" | "/c/Program Files/Wireshark/Wireshark.exe" -k -i -

Of course, I can close the application altogether and relaunch it from the CLI, but it's a little annoying. It seems like an option to "Clear Packet List" would be somewhat minor, almost trivial, to implement.

edit retag flag offensive close merge delete

Comments

Have you considered using the sshdump extcap interface to capture with?

Jaap gravatar imageJaap ( 2023-01-13 20:24:14 +0000 )edit

How exactly would that work? Example?

pcpro178 gravatar imagepcpro178 ( 2023-01-14 02:03:11 +0000 )edit

When installing Wireshark, you have the option of installing the External Capture Interfaces which include sshdump.
On the Wireshark Welcome Screen it will be listed in the lower "Capture" section of the screen.
Click the gear next to "SSH remote capture" to specify the server connection, authentication information and command to run for the capture along with any options or capture filter.

Chuckc gravatar imageChuckc ( 2023-01-14 03:09:31 +0000 )edit

Unfortunately, I am not able to create a SSH session directly from my workstation to the network interface (mynetworkinterface) that needs to be monitored. It is on a different network, only accessible from the remote system (myserver).

pcpro178 gravatar imagepcpro178 ( 2023-01-16 14:41:15 +0000 )edit

The SSH session would be to myserver.

Chuckc gravatar imageChuckc ( 2023-01-16 14:59:12 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-01-16 21:36:41 +0000

Jaap gravatar image

The packet list cannot be cleared, since it is a representation of the capture file that is build up from the data streaming in through the SSH connection. Stopping the capture, thereby killing the SSH connection is the only option available here.

Using the sshdump extcap interface should provide something more usable, but given the comments, is not in scope.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-01-13 18:07:37 +0000

Seen: 133 times

Last updated: Jan 16