Comments on Wireshark Remote Capturing

Wireshark Remote Capturing This short tutorial is without screenshots but a slightly more advanced usecase of Wireshark, namely doing the capture on one box and visualize the captured data in realtime on another box.

3 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Gerald Combs
Reply  

You might want to look at using dumpcap instead of TShark. It's a bit more lightweight. It's also possible to adjust privileges so that you don't have to run as root.

By: gbi
Reply  

Hi Gerald,

thanks for your suggestion.

I have checked dumpcap and it also (kind of) works.

'Kind of' because according to it's manpage the '-w' switch should not be used to write to stdout, from it's manpage:

NOTE: The usage of "-" for stdout is not allowed here!

But it work's, at least with Lenny.

Another disadvantage is, that it's not able to perform filtering, like tshark does.

But I have also checked tcpdump, and tcpdump also works:

wireshark -k -i <( ssh -l root probe /usr/sbin/tcpdump -i eth0 -w - port 53 )

I have not checked how much resources are consumed by either one of those sniffers.

The issue that I have used the root account should be solvable with a non-root account which has appropriate group memberships

By: Tomas Pospisek
Reply  

Hi gbi,

the command from your article:

    wireshark -k -i <( ... )

doesn't work on recent wiresharks (v2.6.8-1.1 from Debian buster). You instead need:

    wireshark -k -i - <( ... )

You might want to fix that in the article.