Ask Your Question
0

How to capture on TCP@ip:port interface?

asked 2024-04-18 03:55:53 +0000

cuuld gravatar image

updated 2024-04-18 04:11:41 +0000

The only reference I have right now is this post:

https://www.wireshark.org/lists/wires...

In my case, the data is sent to the Wireshark machine via netcat (nc), e.g. tcpdump -i any -w - | nc 192.168.1.2 57012

On the Wireshark machine side, I tried to read it using the TCP@ip:port syntax. Tried with both loopback IP 127.0.0.1 and the machine's actual network IP (e.g. 192.168.1.2). But it fails to connect with error returned. Port used is 57012, same port sent to from remote machine.

If I try something like first running on same Wireshark machine a netcat command to receive/listen for the data, like "nc -l 57012", then spin up Wireshark with the TCP@ip:port syntax, then it doesn't complain about connection failure, but I get no data coming through.

What does work for me is if i use netcat and instead pipe the data to Wireshark, e.g. "nc -l 57012 | wireshark -i -", I still have to start capture from UI but then it works.

Or I can swap out the piped wireshark section with "tshark -r -" to see a dump on the terminal. But using tshark with the special TCP syntax also give same issues as Wireshark.

So I wanted to ask how exactly is this syntax feature supposed to work, the normal recommended deployment scenario for how it is used.

It sounds like if using the syntax to connect to a remote machine that is sending/having the data rather than the Wireshark machine querying itself on the localhost network to get at the data works better? How is this setup typically configured or deployed?

Sadly for me, unlike that referenced post, the loopback address doesn't work for me.

There is some brief but not that helpful example mentioned here https://www.netresec.com/?page=Blog&m..., it didn't help me in my test setup.

Or is my test setup incorrect? If so, in which case, using *nix toolchain of combining tools, how can I send data from remote capture machine A using tcpdump/dumpcap to Wireshark machine B so that Wireshark can fetch the data using [email protected]:port interface?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2024-04-18 05:40:07 +0000

Jaap gravatar image

The idea is to setup a listening port on the capture side and then connect to that from Wireshark remotely. Therefore the correct syntax is:

tcpdump -i any -w - not tcp port 57012 | nc -l 192.168.1.2 57012

Note that it does -l to make netcat listen for an incoming connection on the local interface 192.168.1.2 port 57012. And tcpdump filters out the netcat traffic itself, otherwise it will recursively capture the netcat traffic.

Now that netcat is waiting for an incoming connection you can use the pipe in Wireshark as [email protected]:57012 to connect to the remote netcat and receive the pcap traffic over the network.

As an alternative, if you can SSH into the remote host where you want to capture, you may want to try using the SSH remote capture extcap interface.

edit flag offensive delete link more

Comments

I understand what you're saying here. So there's no efficient or effective way to do it the other way around where you want capture side to send the data to a remote port for the remote side (Wireshark) to then view the data via its local interface? The reasoning for this alternative setup is to avoid setting up a port on capture server for remote side to connect to, we want the security implication to be on the remote side to handle having a port open to receive data instead, and capture side just sends to whatever remote port destination you provide (not the server itself).

cuuld gravatar imagecuuld ( 2024-04-18 18:12:41 +0000 )edit

Perhaps you can. Have the side where Wireshark is supposed to run setup a listening netcat, which feeds into a local socket or fifo and have Wireshark capture from that. Not an exact scenario, but capture setup with pipes has discussions about this.

Jaap gravatar imageJaap ( 2024-04-24 19:55:09 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2024-04-18 03:55:53 +0000

Seen: 964 times

Last updated: Apr 18