Wireshark Remote Capturing
Falko has written a nice tutorial with some screenshots regarding basic usage of Wireshark.
This short tutorial is without screenshots but a slightly more advanced usecase of Wireshark, namely doing the capture on one box and visualize the captured data in realtime on another box.
The following article describes the way I installed and used the software, I do not issue any guarantee that the same way works for you. You should have some basic knowledge doing things in a shell. As Wireshark runs on a wide variety of platforms, this should work on nearly every platform which are supported by Wireshark and Open-SSH. In my case Debian and Ubuntu were involved.
1. The Problem
It happened that we had some subtle problems regarding DNS, namely regarding Reverse-DNS. Our setup is simple, we have local DNS Servers which forward all queries they can not resolve to an uplink DNS, which should take care for the further nameresolution. The uplink DNS is administrated by another organisation, which led to the usual fingerpointing "we are no guilty, our equipment performs well, we have to invoice you the costs, blabla ...". Sigh. So I thought about how this problem could be further analyzed, and quickly remembered my system described in http://www.howtoforge.com/trafficanalysis-using-debian-lenny. Perfect I thought, the box is already sitting next to the uplink, and it should easily be possible to monitor all traffic which rushes over the uplink, and to have a look on all DNS related traffic, to see what happens.
My first idea was to install Wireshark directly on this box, and with the help of a little X11-forwarding to see whats going on on the uplink. But there was not enough diskspace to install Wireshark and the whole X11 related libraries.
2. The Solution
My next idea was to capture the traffic on the probe into a file, copy this file to my normal box, and read it into Wireshark. But how cumbersome, long-winded, copying files around or at least mount drives over the net. But the solution is so simple. Install tshark (the textmode related little brother of Wireshark) on the probe, call it remotely with the help of ssh, and directly pipe the output of tshark into Wireshark! This solution is from the Wireshark Wiki, but the simplicity enthused and amazed me to write this short Tutorial.
- Setup passwordless ssh login on the probe like described for instance in here, and check that it's working.
- On your local box where your Wireshark sits and waits to do something beneficial simply call it by
wireshark -k -i <( ssh -l root IP-of-probe /usr/bin/tshark -i eth0 -w - port 53 )
and enjoy. The traffic is filtered on the probe, so that you are not knocked down by the vast amount of packages which may travel over your uplink. The captured traffic is transported over a safe, encrypted ssh connection from the probe to the visualization box and you can see in real time whats going on on the uplink.
In my case I did not need to filter out the ssh traffic (as in the example in the Wireshark Wiki), because the sniffing is done on eth0, and the ssh traffic runs over eth1.
There are other methods described in the Wireshark Wiki using named pipes, but this method using ssh looked like the easiest to set up to me.
One little problem I had while doing this, that ending Wireshark did not end tshark on the probe, but a
pkill tsharkon the probe helped, or, if you are not logged in into the probe
ssh root@probe pkill tsharkshould also work.
Regarding our DNS problem I could immidiately see whats going on. ;-)
- Falko's Wireshark Tutorial: http://www.howtoforge.com/network-analysis-with-wireshark-on-ubuntu-9.10
- My ntop probe: http://www.howtoforge.com/trafficanalysis-using-debian-lenny
- Wireshark + tshark: http://www.wireshark.org/
- Wireshark Wiki: http://wiki.wireshark.org/
- libpcap + tcpdump: http://www.tcpdump.org/
- SSH: http://www.openssh.org/
- passwordless SSH: http://www.debian-administration.org/articles/152