Scenario: Host: Windows 10 pro Guest (VirtualBox): Ubuntu Server 18.04
Test #1, local capture in guest Ubuntu) When typed in Ubuntu terminal (as root): tcpdump -ni enp0s8 -s 0 -w - not port 22 It does work, capturing packets to tty screen
Test #2, plink remote capture) From Windows’ console: plink.exe -batch -ssh -pw charate19 [email protected] "tcpdump -ni enp0s8 -s 0 -w - not port 22" | "C:\Program Files\Wireshark\Wireshark.exe" -k -i – Wireshark connects but gets no packet (root ssh password login is enabled) tcpdump is running OK in Ubuntu: UID PID PPID C STIME TTY TIME CMD root 10542 10447 0 11:30 ? 00:00:00 tcpdump -ni enp0s8 -s 0 -w - not port 22
Test #3, Wireshark’s ssh remote capture From Windows’s Wireshark, SSH remote capture interface, with options: Remote SSH server address = 192.168.176.2 Remote SSH server port = 22 Remote SSH server username = root Remote SSH server password = my-password Remote interface = enp0s8 Remote interface = enp0s8 Remote capture command = /usr/sbin/tcpdump -s 0 -w - Remote capture filter = not port 22 Packets to capture = 0
Again, Wireshark connects but gets no packet * tcpdump is running in Ubuntu (but no interface set):* UID PID PPID C STIME TTY TIME CMD root 10677 10560 0 11:47 ? 00:00:00 /usr/sbin/tcpdump -s 0 -w –
As neither interface nor filter appear, the same but with: Remote capture command = /usr/sbin/tcpdump -ni enp0s8 -s 0 -w - not port 22 UID PID PPID C STIME TTY TIME CMD root 11246 11149 0 11:51 ? 00:00:00 /usr/sbin/tcpdump -ni enp0s8 -s 0 -w - not
Summary: Remote Wireshark gets no packet, but launches remote tcpdump with right parameters