Wireshark: remotely analyze tcpdump using SSH

| 2 Comments

0.00 avg. rating (0% score) - 0 votes

Wireshark-logo

I recently saw a blog post (don’t remember the link :-() on something I used several times but never made an article on. So this time, I’m making a blog post on it as this is solution is very useful.

I’m pretty sure you already had to tcpdump on a remote server to investigate. When you have a lot of traffic, it can start to be painful to add a lot filter, having no colors, reading tcpdump row format etc… And most of the time Wireshark can help on having a better visibility on what happens.

In that case, if you want to analyze with Wireshark, you have about 4 options:

  • Having a graphical user interface on the server: forget about it
  • Having a X server running with Wireshark on the server, then forward X: you can forget it as well
  • Forward tcpdump output to a file, transfer it locally and analyze it with Wireshark: better but not enough friendly in my opinion
  • Stream through SSH the tcpdump output and analyze it locally with Wireshark: better now 🙂

For this last case, it can seems complicated but not at all. Locally create a fifo file:

Then connect to your remote server through SSH and run tcpdump (here is a basic example, but adapt it with your filters):

Then launch Wireshark locally pointing to the fifo file:

Here you have the output in realtime of your server through Wireshark 🙂

Hope this will help

Author: Deimos

I'm a passionate DevOps. I love transmit my skills and I love working on high availability infrastructures/technologies.

2 Comments

  1. it was maniatux
    http://maniatux.fr/index.php?article530/mon-serveur-home-attaque

    but you probably see it on planet-libre.org

Laisser une réponse