Tomorrows Technology Today

How To

Stream Remote Linux tcpdump to Windows Wireshark

Overview

Lets say you want to look at live tcpdump of a remote headless server in wireshark on your windows pc. you could run a capture, copy it back to your pc then open your file, but this all takes time and you might miss what you are trying to capture. Instead what if you could stream the tcpdump from the remote linux server directly to your PC. You can! But it is not always easy.

Before we begin make sure that you can access your remote host using public/private keys instead of a password and that tcpdump can be executed on the remote host with your user. You could use root, but in general it best not to allow root for ssh access.

so first login to the remote linux server and give your user the necessary permissions to run tcpdump using setcap

 ssh myuser@mylinuxserver
 sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump 

and test your user without sudo or root can tcpdump

myuser@mylinuxserver:$ tcpdump -i any not port 22

Stream remote tcpdump to your windows desktop

The following syntax works in Windows 10 command prompt, not powershell

ssh myuser@mylinuxserver tcpdump -U -s0 'not port 22' -i enp0s25 -w - | "C:\Program Files\Wireshark\Wireshark.exe" -i - -k

be careful with those dashes and flags!

Errors you might encounter

tcpdump: any: You don’t have permission to capture on that device

would mean the remote user does not have permissions to use tcpdump

“End of file on pipe magic during open.”

something is wrong in the syntax ot the piped commands.

Leave a Reply

Your email address will not be published. Required fields are marked *