Stream Remote Linux tcpdump to Windows Wireshark
Overview
Lets say you want to look at live tcpdump of a remote headless server in wireshark on your windows pc. you could run a capture, copy it back to your pc then open your file, but this all takes time and you might miss what you are trying to capture. Instead what if you could stream the tcpdump from the remote linux server directly to your PC. You can! But it is not always easy.
Pre-requisites
Before we begin make sure that you can access your remote host using public/private keys instead of a password and that tcpdump can be executed on the remote host with your user. You could use root, but in general it best not to allow root for ssh access.
so first login to the remote linux server and give your user the necessary permissions to run tcpdump using setcap
ssh myuser@mylinuxserver
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
and test your user without sudo or root can tcpdump
myuser@mylinuxserver:$ tcpdump -i any not port 22
Stream remote tcpdump to your windows desktop
The following syntax works in Windows 10 command prompt, not powershell
ssh myuser@mylinuxserver tcpdump -U -s0 'not port 22' -i enp0s25 -w - | "C:\Program Files\Wireshark\Wireshark.exe" -i - -k
be careful with those dashes and flags!
Errors you might encounter
tcpdump: any: You don’t have permission to capture on that device
would mean the remote user does not have permissions to use tcpdump
“End of file on pipe magic during open.”
something is wrong in the syntax ot the piped commands.