commandlinefu.com is the place to record those command-line gems that you return to again and again.
You can sign-in using OpenID credentials, or register a traditional username and password.
Subscribe to the feed for:
analyze traffic remotely over ssh w/ wireshark
When using tcpdump, specify -U option to prevent buffering and -iany to see all interfaces.
There is 1 alternative - vote for the best!
This captures traffic on a remote machine with tshark, sends the raw pcap data over the ssh link, and displays it in wireshark. Hitting ctrl+C will stop the capture and unfortunately close your wireshark window. This can be worked-around by passing -c # to tshark to only capture a certain # of packets, or redirecting the data through a named pipe rather than piping directly from ssh to wireshark. I recommend filtering as much as you can in the tshark command to conserve bandwidth. tshark can be replaced with tcpdump thusly:
ssh [email protected] tcpdump -w - 'port !22' | wireshark -k -i -
When using tcpdump, specify -U option to prevent buffering.
Then hit ^C to stop, get the file by scp, and you can now use wireshark like this :
If you have tshark on remote host, you could use that :
wireshark -k -i <(ssh -l root <REMOTE HOST> tshark -w - not tcp port 22)
The last snippet comes from http://wiki.wireshark.org/CaptureSetup/Pipes
Please check out my blog article on this for more detail. http://jdubb.net/blog/2009/08/07/monitor-wireshark-capture-real-time-on-remote-host-via-ssh/
commandline for mac os x
If you can do better, submit your command here.
You must be signed in to comment.