Wireshark: remotely analyze tcpdump using SSH
I recently saw a blog post (don’t remember the link :-() on something I used several times but never made an article on. So this time, I’m making a blog post on it as this is solution is very useful.
I’m pretty sure you already had to tcpdump on a remote server to investigate. When you have a lot of traffic, it can start to be painful to add a lot filter, having no colors, reading tcpdump row format etc… And most of the time Wireshark can help on having a better visibility on what happens.
In that case, if you want to analyze with Wireshark, you have about 4 options:
- Having a graphical user interface on the server: forget about it
- Having a X server running with Wireshark on the server, then forward X: you can forget it as well
- Forward tcpdump output to a file, transfer it locally and analyze it with Wireshark: better but not enough friendly in my opinion
- Stream through SSH the tcpdump output and analyze it locally with Wireshark: better now :-)
For this last case, it can seems complicated but not at all. Locally create a fifo file:
Then connect to your remote server through SSH and run tcpdump (here is a basic example, but adapt it with your filters):
ssh [email protected] "tcpdump -s 0 -U -n -w - -i eth0 not port 22" > /tmp/wshark
Then launch Wireshark locally pointing to the fifo file:
wireshark -k -i /tmp/wshark
Here you have the output in realtime of your server through Wireshark :-)
Hope this will help