Sudo wireshark -s 0 -k -i /home/jsmith/localpcappipe The buffer tuning helps make things much more stable and reliable. Plus, this can be somewhat of a brittle process and socat can end up crashing easily. The buffer tuning was important to making it as live as possible as well as more stable.
It reads from that and writes it to the named pipe file in your home directory. This tells socat to ssh into the remote host and cat the named pipe (sending the data to STDOUT). PIPE:/home/jsmith/localpcappipe,wronly=1,noatime Next, on your local desktop, run socat like so:ĮXEC:"stdbuf -i0 -o0 -e0 ssh -x -C -t srv1 cat /tmp/fifo/pcappipe",pty,raw \ You can alter this of course, but if you don't specifically exclude your ssh traffic, tcpdump is going to pick up all of the traffic from you being logged in as well as the part where we remotely read from the named pipe which takes place over ssh. sudo tcpdump -i eth0 -s 0 -U -w /tmp/fifo/pcappipe not port 22Īlso notice the pcap filter 'not port 22'.Kick off tcpdump, writing to that pipe.Create a temp dir for your named pipe file.Here's the steps using the example username jsmith, example remote host name srv1, and example network interface name eth0. Then, we take advantage of Wireshark's ability to read right from a named pipe and read that local named file. In short, we can use socat as the middleman to read from a remote named pipe to a local named pipe.
One of its supported i/o types is named pipes. The socat utility is a swiss army knife of basically all possible types if input/ouput. So how can you achieve the holy grail and use Wireshark locally on your desktop to watch live traffic on a remote host? It's definitely handy that pcap is so portable that this is possible, but this method lacks the ability to watch network traffic in real-time.
One workaround used by a lot of people is to capture some network output with tcpdump writing to a file, then fetch that capture file to your desktop and open it up in Wireshark. Or, you may not even be able to install Wireshark on the remote host for any number of reasons. For many reasons, this may not work well. Running it on a remote host means you'll have to install it and all supporting dependencies and libraries on the remote host and then ssh X tunneling it back to your desktop.
The problem is that Wireshark is a graphical interface. There are other console based tools like tshark, but few of them are as useful and as user-friendly as Wireshark which can render and parse network packets in an extremely readable and comprehensive fashion. Even after you develop some skill with pcap-filter syntax, wielding tcpdump is clunky and it usually looks like you're trying to view The Matrix encoded. In a large environment, troubleshooting problems with network packet traces usually means you're logged into a remote host running tcpdump.
0 kommentar(er)
