Cannot remote capture and filter?

asked 2023-03-30 01:59:47 +0000

avgjoe
1 ●1

updated 2023-03-30 02:00:51 +0000

I am hoping for a workaround. If I understand correctly, Wireshark cannot currently remote capture and remote filter at the same time on multiple remote interfaces. For SSH remote capture, you have 3 options. Dumpcap, tcpdump, or "command". Currently dumpcap ignores remote capture filters, and tcpdump does not allow two interfaces to be specified (ignoring "any" which is not workable). It appears that the dumpcap issue already has an old bug associated with it. That only leaves "Remote capture command" as a possible current workaround. My needs are pretty simple. I have a transmit and receive stream from a single link tap. In order to see both sides of a conversation on this link, I need to capture two specific interfaces. Does anyone know of a "capture command" in "interface options: SSH remote capture" that might work?

Comments

What's the remote OS and version?

grahamb ( 2023-03-30 11:16:52 +0000 )edit

I tried multiple versions of Linux for remote capture. No difference. My local system is Wireshark 4.0.4 on Windows 10. The remotes are a variety of lean Linux systems with minimal add-ons.

avgjoe ( 2023-03-30 16:38:53 +0000 )edit

avgjoe ( 2023-03-30 17:07:17 +0000 )edit

I'll try again, what's the remote OS and version. The version of dumpcap on the remote machine would also be helpful.

grahamb ( 2023-03-31 07:47:55 +0000 )edit

I tried 4 versions of linux BRAND NEW installs using latest iso, for the remote capture system. The last one I tried was TinyCore.13.1. I cannot look at the dumpcap version at the moment. It is whatever loads with a new install and after latest updates.

avgjoe ( 2023-03-31 17:22:27 +0000 )edit

add a comment

answered 2023-03-30 10:18:51 +0000

Bob Jones
1496 ●2 ●179 ●22 Boston, MA

Currently dumpcap ignores remote capture filters

On Windows Ver 4.0.4, this appears to work for me for simple filters when I select the dumpcap radiobox. I tried to upload a screen capture but it fails for some reason. The profile preferences shows the config:

extcap.sshdump_exe.remoteinterface: enp13s0
extcap.sshdump_exe.remotecapturecommandselect: dumpcap 
extcap.sshdump_exe.remotesudo: false 
extcap.sshdump_exe.remotenoprom:false 
extcap.sshdump_exe.remotefilter: arp or icmp
extcap.sshdump_exe.loglevel: message

This is the process I end up with on the Linux SSH server:

wsuser 465803  465802 TS   19 05:57 ? 00:00:00 dumpcap -i enp13s0 -w - -f arp or icmp

And indeed, I only see arp and icmp packets in the Wireshark GUI. Without the remote filter, more comes down.

tcpdump does not allow two interfaces to be specified

I have observed this, too.

"capture command" in "interface options: SSH remote capture"

I would suggest dumpcap directly in the remote capture command. Something like:

dumpcap -f "arp or icmp" -i enp13s0 -i wlp14s0  -w -

And the generated Linux process:

wsuser    474613  474612  0 06:12 ?        00:00:00 dumpcap -f arp or icmp -i enp13s0 -i wlp14s0 -w -

edit flag offensive delete link

Comments

Windows version "4.0.4"?? I assume that 4.0.4 is the Wireshark version you are running on remote windows capture system. I was using Linux (tried several) on the remote capture. So perhaps dumpcap works correctly using a windows remote capture system?? I will also try the command window using dumpcap on my Linux remote box. My local is windows (Wireshark), my remotes are small footprint Linux.

avgjoe ( 2023-03-30 16:50:55 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Cannot remote capture and filter?

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Cannot remote capture and filter? edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Cannot remote capture and filter?