Wireshark Remote Capturing

Want to support HowtoForge? Become a subscriber!
 
Submitted by gbi (Contact Author) (Forums) on Tue, 2010-03-09 11:55. :: Monitoring

Wireshark Remote Capturing

Falko has written a nice tutorial with some screenshots regarding basic usage of Wireshark.

This short tutorial is without screenshots but a slightly more advanced usecase of Wireshark, namely doing the capture on one box and visualize the captured data in realtime on another box.

 

Preliminary

The following article describes the way I installed and used the software, I do not issue any guarantee that the same way works for you. You should have some basic knowledge doing things in a shell. As Wireshark runs on a wide variety of platforms, this should work on nearly every platform which are supported by Wireshark and Open-SSH. In my case Debian and Ubuntu were involved.

 

1. The Problem

It happened that we had some subtle problems regarding DNS, namely regarding Reverse-DNS. Our setup is simple, we have local DNS Servers which forward all queries they can not resolve to an uplink DNS, which should take care for the further nameresolution. The uplink DNS is administrated by another organisation, which led to the usual fingerpointing "we are no guilty, our equipment performs well, we have to invoice you the costs, blabla ...". Sigh. So I thought about how this problem could be further analyzed, and quickly remembered my system described in http://www.howtoforge.com/trafficanalysis-using-debian-lenny. Perfect I thought, the box is already sitting next to the uplink, and it should easily be possible to monitor all traffic which rushes over the uplink, and to have a look on all DNS related traffic, to see what happens.

My first idea was to install Wireshark directly on this box, and with the help of a little X11-forwarding to see whats going on on the uplink. But there was not enough diskspace to install Wireshark and the whole X11 related libraries.

 

2. The Solution

My next idea was to capture the traffic on the probe into a file, copy this file to my normal box, and read it into Wireshark. But how cumbersome, long-winded, copying files around or at least mount drives over the net. But the solution is so simple. Install tshark (the textmode related little brother of Wireshark) on the probe, call it remotely with the help of ssh, and directly pipe the output of tshark into Wireshark! This solution is from the Wireshark Wiki, but the simplicity enthused and amazed me to write this short Tutorial.

  • Setup passwordless ssh login on the probe like described for instance in here, and check that it's working.
  • On your local box where your Wireshark sits and waits to do something beneficial simply call it by

wireshark -k -i <( ssh -l root IP-of-probe /usr/bin/tshark -i eth0 -w - port 53 )

and enjoy. The traffic is filtered on the probe, so that you are not knocked down by the vast amount of packages which may travel over your uplink. The captured traffic is transported over a safe, encrypted ssh connection from the probe to the visualization box and you can see in real time whats going on on the uplink.

In my case I did not need to filter out the ssh traffic (as in the example in the Wireshark Wiki), because the sniffing is done on eth0, and the ssh traffic runs over eth1.

There are other methods described in the Wireshark Wiki using named pipes, but this method using ssh looked like the easiest to set up to me.

One little problem I had while doing this, that ending Wireshark did not end tshark on the probe, but a

pkill tshark

on the probe helped, or, if you are not logged in into the probe

ssh root@probe pkill tshark

should also work.

Regarding our DNS problem I could immidiately see whats going on. ;-)

 

3. URLs


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Gerald Combs (not registered) on Tue, 2010-03-09 17:43.
You might want to look at using dumpcap instead of TShark. It's a bit more lightweight. It's also possible to adjust privileges so that you don't have to run as root.
Submitted by gbi (not registered) on Mon, 2010-03-15 09:10.

Hi Gerald,

thanks for your suggestion.

I have checked dumpcap and it also (kind of) works.

'Kind of' because according to it's manpage the '-w' switch should not be used to write to stdout, from it's manpage:

NOTE: The usage of "-" for stdout is not allowed here!

But it work's, at least with Lenny.

Another disadvantage is, that it's not able to perform filtering, like tshark does.

But I have also checked tcpdump, and tcpdump also works:

wireshark -k -i <( ssh -l root probe /usr/sbin/tcpdump -i eth0 -w - port 53 )

I have not checked how much resources are consumed by either one of those sniffers.

The issue that I have used the root account should be solvable with a non-root account which has appropriate group memberships