Wireshark Remote Capturing

Falko has written a nice tutorial with some screenshots regarding basic usage of Wireshark.

This short tutorial is without screenshots but a slightly more advanced usecase of Wireshark, namely doing the capture on one box and visualize the captured data in realtime on another box.



The following article describes the way I installed and used the software, I do not issue any guarantee that the same way works for you. You should have some basic knowledge doing things in a shell. As Wireshark runs on a wide variety of platforms, this should work on nearly every platform which are supported by Wireshark and Open-SSH. In my case Debian and Ubuntu were involved.


1. The Problem

It happened that we had some subtle problems regarding DNS, namely regarding Reverse-DNS. Our setup is simple, we have local DNS Servers which forward all queries they can not resolve to an uplink DNS, which should take care for the further nameresolution. The uplink DNS is administrated by another organisation, which led to the usual fingerpointing "we are no guilty, our equipment performs well, we have to invoice you the costs, blabla ...". Sigh. So I thought about how this problem could be further analyzed, and quickly remembered my system described in https://www.howtoforge.com/trafficanalysis-using-debian-lenny. Perfect I thought, the box is already sitting next to the uplink, and it should easily be possible to monitor all traffic which rushes over the uplink, and to have a look on all DNS related traffic, to see what happens.

My first idea was to install Wireshark directly on this box, and with the help of a little X11-forwarding to see whats going on on the uplink. But there was not enough diskspace to install Wireshark and the whole X11 related libraries.


2. The Solution

My next idea was to capture the traffic on the probe into a file, copy this file to my normal box, and read it into Wireshark. But how cumbersome, long-winded, copying files around or at least mount drives over the net. But the solution is so simple. Install tshark (the textmode related little brother of Wireshark) on the probe, call it remotely with the help of ssh, and directly pipe the output of tshark into Wireshark! This solution is from the Wireshark Wiki, but the simplicity enthused and amazed me to write this short Tutorial.

  • Setup passwordless ssh login on the probe like described for instance in here, and check that it's working.
  • On your local box where your Wireshark sits and waits to do something beneficial simply call it by
wireshark -k -i <( ssh -l root IP-of-probe /usr/bin/tshark -i eth0 -w - port 53 )

and enjoy. The traffic is filtered on the probe, so that you are not knocked down by the vast amount of packages which may travel over your uplink. The captured traffic is transported over a safe, encrypted ssh connection from the probe to the visualization box and you can see in real time whats going on on the uplink.

In my case I did not need to filter out the ssh traffic (as in the example in the Wireshark Wiki), because the sniffing is done on eth0, and the ssh traffic runs over eth1.

There are other methods described in the Wireshark Wiki using named pipes, but this method using ssh looked like the easiest to set up to me.

One little problem I had while doing this, that ending Wireshark did not end tshark on the probe, but a

pkill tshark
on the probe helped, or, if you are not logged in into the probe
ssh [email protected] pkill tshark
should also work.

Regarding our DNS problem I could immidiately see whats going on. ;-)


3. URLs

Share this page:

3 Comment(s)

Add comment

Please register in our forum first to comment.


By: Gerald Combs

You might want to look at using dumpcap instead of TShark. It's a bit more lightweight. It's also possible to adjust privileges so that you don't have to run as root.

By: gbi

Hi Gerald,

thanks for your suggestion.

I have checked dumpcap and it also (kind of) works.

'Kind of' because according to it's manpage the '-w' switch should not be used to write to stdout, from it's manpage:

NOTE: The usage of "-" for stdout is not allowed here!

But it work's, at least with Lenny.

Another disadvantage is, that it's not able to perform filtering, like tshark does.

But I have also checked tcpdump, and tcpdump also works:

wireshark -k -i <( ssh -l root probe /usr/sbin/tcpdump -i eth0 -w - port 53 )

I have not checked how much resources are consumed by either one of those sniffers.

The issue that I have used the root account should be solvable with a non-root account which has appropriate group memberships

By: Tomas Pospisek

Hi gbi,

the command from your article:

    wireshark -k -i <( ... )

doesn't work on recent wiresharks (v2.6.8-1.1 from Debian buster). You instead need:

    wireshark -k -i - <( ... )

You might want to fix that in the article.