Age | Commit message (Collapse) | Author | Files | Lines |
|
sudo might be unavailable on the target, do not bother when root.
|
|
Based on ssh-tcpdump, but uses dumpcap and supports specifying the
hostname and interface through capture options. Should probably
integrate that with ssh-tcpdump, but I quickly needed something working.
Known issues:
- On exit Wireshark assumes that stderr is an error.
- dumpcap does not exit on the remote server, tracked by
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14431
- Stopping a capture, killing dumpcap and starting a capture again
results in a corrupted dissection (interpreted as ERF). The pcapng
file on the filesystem is ok, it is just a GUI problem.
Tested with Wireshark v2.9.1rc0-558-geec3ce3bb2.
|
|
Requires Python 3.4, but it can be adapted for older versions. It
demonstrates how "easy" it is to capture remotely over SSH when only
tcpdump is installed without dumpcap (in that case you could use
sshdump).
Note that on stopping/restarting captures, you still get some stderr
messages ("Dropped privileges", but that can be ignored). See also
https://ask.wireshark.org/questions/55768/remote-interface-linux
|