Wireshark with remote packet capture

You might have a machine out on a network that you need to do some packet capture and analysis on but this machine doesn't had a graphical environment to run Wireshark on. You could use ngrep and tcpdump of course but wireshark presents the data in a more human readable form and lets you scroll back and forth, etc.

You could also use tcpdump with a -w to capture some packets to file and then play this file back through Wireshark. There's nothing quite like realtime data though.

Reference: http://wiki.wireshark.org/CaptureSetup/Pipes

  • The machine that you're using to capture packets needs either tcpdump or dumpcap.
  • You need to be able to connect to the packet capturing machine with SSH from the machine on which wireshark will be running.
  • You need to be able to run tcpdump on the packet capturing machine either
    • Directly as the user you're logging in with (e.g. you login using the root account); or
    • Using sudo but without entering a password

Connecting to a remote machine using SSH without being prompted for a password

There are 2 easy ways to achieve this goal, you can set up a public/private key pair or you can establish a ControlMaster connection to the remote host. With the ControlMaster connection established, additional SSH connections to the same host can be made without re-authentication.

In brief, a ControlMaster connection can be established in the following manner:

  • Open/Create ~/.ssh/config in a text editor
  • Insert the following content:
ControlMaster		auto
ControlPath		/tmp/ssh-%u-%[email protected]%h:%p
ControlPersist		1h

Now, whenever you establish an SSH connection to any host a ControlMaster session will be started and supplimental connections will re-use this established connection if it is available. If you log out of the ControlMaster session the underlying connection will remain available for reuse for a further 1 hour.

Running tcpdump with sudo without being prompted for a password

  • Open the sudoers file by running sudo visudo
  • Find the Cmnd alias section and create a new alias for tcpdump:
# Cmnd alias specification
Cmnd_Alias     TCPDUMP = /usr/sbin/tcpdump
  • At the very end of the file insert a new rule.
    • Allow a single user called shaun to execute tcpdump without a password:
shaun ALL=NOPASSWD: TCPDUMP
  • Allow a group called globaladmins to execute tcpdump without a password:
%globaladmins ALL=NOPASSWD: TCPDUMP

In essence, we will be running tcpdump on the packet capturing machine and forwarding the data through an SSH connection to Wireshark.

On the machine that has Wireshark installed run the following:

wireshark -k -i <(ssh <username>@<packet capture machine IP or hostname> sudo /usr/sbin/tcpdump -i any -n -U -w - not tcp port 22)

Notes:

  • Leave out the sudo is you are logging in with an account that doesn't need it
  • The part after the lonely “-” is a packet selection expression. This example excludes all tcp port 22 traffic so that the SSH connection we're using to tunnel the packet capture data isn't included in the captured packets (creating an infinate loop). Other useful examples:
    • icmp or arp - capture only icmp and arp packets
    • host 172.30.0.1 - capture only packets to or from 172.30.0.1
  • Swap any with the name of a specific interface (e.g. eth0 or brLAN)

The Wireshark gui will launch while in the background the ssh connection is established. If Wireshark reports an error or you don't seem to be capturing any packets, switch back to your terminal window and make sure there are no errors. You should only have something like the following:

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes