Ask Your Question
0

Cannot remote capture and filter?

asked 2023-03-30 01:59:47 +0000

avgjoe gravatar image

updated 2023-03-30 02:00:51 +0000

I am hoping for a workaround. If I understand correctly, Wireshark cannot currently remote capture and remote filter at the same time on multiple remote interfaces. For SSH remote capture, you have 3 options. Dumpcap, tcpdump, or "command". Currently dumpcap ignores remote capture filters, and tcpdump does not allow two interfaces to be specified (ignoring "any" which is not workable). It appears that the dumpcap issue already has an old bug associated with it. That only leaves "Remote capture command" as a possible current workaround. My needs are pretty simple. I have a transmit and receive stream from a single link tap. In order to see both sides of a conversation on this link, I need to capture two specific interfaces. Does anyone know of a "capture command" in "interface options: SSH remote capture" that might work?

edit retag flag offensive close merge delete

Comments

What's the remote OS and version?

grahamb gravatar imagegrahamb ( 2023-03-30 11:16:52 +0000 )edit

I tried multiple versions of Linux for remote capture. No difference. My local system is Wireshark 4.0.4 on Windows 10. The remotes are a variety of lean Linux systems with minimal add-ons.

avgjoe gravatar imageavgjoe ( 2023-03-30 16:38:53 +0000 )edit
avgjoe gravatar imageavgjoe ( 2023-03-30 17:07:17 +0000 )edit

I'll try again, what's the remote OS and version. The version of dumpcap on the remote machine would also be helpful.

grahamb gravatar imagegrahamb ( 2023-03-31 07:47:55 +0000 )edit

I tried 4 versions of linux BRAND NEW installs using latest iso, for the remote capture system. The last one I tried was TinyCore.13.1. I cannot look at the dumpcap version at the moment. It is whatever loads with a new install and after latest updates.

avgjoe gravatar imageavgjoe ( 2023-03-31 17:22:27 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-03-30 10:18:51 +0000

Bob Jones gravatar image

Currently dumpcap ignores remote capture filters

On Windows Ver 4.0.4, this appears to work for me for simple filters when I select the dumpcap radiobox. I tried to upload a screen capture but it fails for some reason. The profile preferences shows the config:

extcap.sshdump_exe.remoteinterface: enp13s0
extcap.sshdump_exe.remotecapturecommandselect: dumpcap 
extcap.sshdump_exe.remotesudo: false 
extcap.sshdump_exe.remotenoprom:false 
extcap.sshdump_exe.remotefilter: arp or icmp
extcap.sshdump_exe.loglevel: message

This is the process I end up with on the Linux SSH server:

wsuser 465803  465802 TS   19 05:57 ? 00:00:00 dumpcap -i enp13s0 -w - -f arp or icmp

And indeed, I only see arp and icmp packets in the Wireshark GUI. Without the remote filter, more comes down.

tcpdump does not allow two interfaces to be specified

I have observed this, too.

"capture command" in "interface options: SSH remote capture"

I would suggest dumpcap directly in the remote capture command. Something like:

dumpcap -f "arp or icmp" -i enp13s0 -i wlp14s0  -w -

And the generated Linux process:

wsuser    474613  474612  0 06:12 ?        00:00:00 dumpcap -f arp or icmp -i enp13s0 -i wlp14s0 -w -
edit flag offensive delete link more

Comments

Windows version "4.0.4"?? I assume that 4.0.4 is the Wireshark version you are running on remote windows capture system. I was using Linux (tried several) on the remote capture. So perhaps dumpcap works correctly using a windows remote capture system?? I will also try the command window using dumpcap on my Linux remote box. My local is windows (Wireshark), my remotes are small footprint Linux.

avgjoe gravatar imageavgjoe ( 2023-03-30 16:50:55 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2023-03-30 01:59:47 +0000

Seen: 855 times

Last updated: Mar 30 '23