Tcpdump over ssh and wireshark

tcpdump over ssh wireshark

This is a command to run remotely Tcpdump over Ssh and visualize the capture on Wireshark in your desktop.

Tcpdump and Wireshark are two of the most powerful and complete packet analyzers out there. The first one is a command line tool while the second one boasts a simple and intuitive visual interface.

Normally we do not have a graphical environment installed on our servers, so using Wireshark in this case would not be possible.

I’m going to show you how you can run tcpdump on a remote server over a secure connection (ssh). Then We will pass the capture to wireshark in our linux desktop. This way we wil be able to graphically view and filter the data from this capture. To do this, you only have to execute the following command:

ssh root@192.168.5.10 tcpdump -i any -U -s0 -w - 'not port 22' | wireshark -k -i -

Where 192.168.5.10 is the ip of our remote server.

With this command, what happens is that the output of the tcpdump command executed remotely through ssh is passed to the wireshark program executed locally using a pipe, so we can see the capture graphically in a very comfortable way.

As you can see, I have filtered port 22 in the remote tcpdump command to avoid passing those packets in the capture. You can do this filtering in wireshark as a display filter instead of in the tcpdump command. This is done in the example to show the possibility of doing it on one side or the other. Doing it in the tcpdump side, you can avoid some unnecesary packets to be passed trough the connection.

For more information about the filters that we can apply in wireshark, we can go to its documentation.

2 thoughts on “Tcpdump over ssh and wireshark”

  1. your command has two mistakes. “no port 22” should be “not port 22” and “wirehark” should be “wireshark”

Leave a Reply

Your email address will not be published.