Using wireshark with remote capturing
Wireshark is a very nice network protocol analyzer / sniffer, that is very complete and totally free and open source. It is the standard for examining network packets, used by many professionals and home users. I’ve been using wireshark since the days when it was still called Ethereal, some years ago.
The last few days I was struggling with the following situation:
- I wanted to examine some packets passing through my firewall
- my firewall is a “headless” (this means without a monitor, accessible only via ssh) Slackware server
- it has no X installed (and therefor no window manager etc.) so it won’t run wireshark
Now wireshark can read packets captured by tcpdump and written to a file, so that’s what I did at first:
- capture with tcpdump
- write the packets to a file on a network share
- open the file with wireshark
The problem is that I wanted to examine the packets “on-line”, as they pass through the firewall.
Linux has a solution (inherited from Unix) for this, called “pipes”. These are a special kind of files, where one program writes, while another reads from it, getting the contents in the right order.
In other words: the packet that went into the pipe first, will come out first at the other side of the pipe. Imagine it as a “vitrual tube”.
It was a bit of a struggle to get all the parameters right, but in the end, I got it working like this (note: all commands are entered in a terminal session on the desktop):
- Create the pipe
- Start tcpdump remotely with ssh from the desktop where you have wireshark installed:
- While tcpdump is capturing packets and sending them to the pipe, open another terminal, start wireshark and use the pipe as the input
niels@desktop:~$ mkfifo /tmp/pipes/cap_fw
“/tmp/pipes/” is where I create my pipes, feel free to use whatever directory you prefer.
“cap_fw” is the name of the pipe I selected.
niels@desktop:~$ ssh root@<firewall> "tcpdump -s 0 -U -n -w - -i eth1 not port 22" > /tmp/pipes/cap_fw
Replace <firewall> with the name or ip address of your remote server.
The options I used are:
-s 0 : use the required length to catch whole packets
-U : packet-buffering – write packet to pipe as soon as it is captured (as opposed to waiting for the buffer to fill)
-n : no address-to-name conversion (you can let wireshark do this if you want)
-w - : write output to standard output
-i eth1 : capture from interface eth1 – change to match your setup
not port 22 : leave out any packets from / to port 22. This is needed as we use ssh to connect to out firewall, so that we don’t capture the captured packets again… If you need to examine port 22 on your server, use ssh over an alternative port.
> /tmp/pipes/cap_fw : redirect the output to our pipe.
niels@desktop:~$ wireshark -k -i /tmp/pipes/cap_fw
Here the options mean:
-k : start immediately
-i /tmp/pipes/cap_fw : use our pipe as the “interface”
And you’re up and running!
You can use all the normal functions of wireshark, like filtering, etc., as if you were capturing from a local interface.
By special request from BP{k}, here is a diagram of the setup showing how ssh gets the data from the server, captured by tcpdump and sends it through the pipe to wireshark (with a little help from LeoCAD, l3p and POV-Ray):
(click on the image to enlarge it)
I might write a nice bash script to make things simpler now that I figured it all out.
If it is good enough in the end, I’ll publish it here on my blog.
This entry was posted on Saturday, February 6th, 2010 at 16:20 and is filed under Monitoring, Slackware, networking. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
Dutch guy living in Brazil. Has worked in the IT business since it was invented (well, almost...). Interests: Slackware, Lego, Star Wars.
September 24th, 2010 at 14:20
I’m not sure I get it. They don’t have tshark where you live? That text tool is in the regular wireshark distro, from what I can see. Just run it on the headless server, like you’d do with tcpdump, and watch the awesome come out. It makes your workaround potentially unnecessary.
September 24th, 2010 at 15:14
Maybe where you live (Canada?) you don’t know about the rest of the world, but where I live we do have tshark, as we download the same tarballs. But many people prefer the GUI of Wireshark because they’re used to it, or because they find it nicer to look at.
If you prefer tshark, please continue using it. For all those who prefer a graphical interface, my “workaround” is necessary.
October 14th, 2010 at 5:28
###### (moderated to remove foul language) Niels… U r really rude!!
October 14th, 2010 at 9:40
I call it being direct. And I have no need for indecent language on my blog.
Feel free to post constructive comments, feel free to stay away if you don’t agree
November 30th, 2010 at 13:11
Thanks! This is so useful – I was fed up capturing limited sets of data to import into wireshark so I could use the voip tools, and now I dont have to
November 30th, 2010 at 13:25
Jay,
Thanks for your feedback. Glad that this was helpful for you!
Niels
February 1st, 2011 at 15:53
i tried to run it on my openwrt box, from ubuntu 10.10, but when i execute the command
ssh root@192.168.1.1 -p 443 “tcpdump -i eth0 -s 0 -U -w – not port 443″ > /tmp/pipes/cap_fw
nothing happens (it should ask me the pw i suppose, but it doesn’t), it acts like if i didn’t press Return…
the dropbear daemon is running on port 443 with pw login (no certificate)
February 4th, 2011 at 11:39
I had some devices that had tcpdump and no easy means for loading additional software, this was an excellent solution for monitoring their communications. Thanks.
February 6th, 2011 at 12:07
Glad I could be of help!
February 6th, 2011 at 12:09
Did you try another port? Any firewall between the two boxes?
Niels
February 11th, 2011 at 15:01
it was only a problem of not using certificates with ssh, now it works correctly
thanks!
May 18th, 2011 at 15:10
nice tips.
i prefer to write wireshark result in a file and scp @desktop and then parse it through wireshark
and Amazing gfx ! did you use any special soft for that ?
November 8th, 2011 at 13:31
Niel – I found your website, and it gave me the building blocks that I needed. I found a way to do something extremely similar inside of winXP. I’m not sure if any of your readers may find it useful or not.
Basically what I did was used an extention of PuTTY called plink and piped the result to a windows version of Wireshark -
“C:\Program Files\PuTTY\plink.exe” -ssh -pw “enter user passwd here” @ tcpdump -w – -s 0 -i eth0 not port 22 | “C:\Program Files\Wireshark\wireshark.exe” -k -i -
It’s a little more convoluted, but the results were that I was able to gather my wireshark captures from a remote linux host on my WinXP machine here @ work.
November 8th, 2011 at 13:41
Brian,
Thanks for this info! This is probably very useful for Windows users!
Niels