How to: Capture packets remotely with Wireshark and tcpdump over ssh

created by BasicSysAdmin

Tags: Wireshark, Linux, tcpdump, Ubuntu

Feb 14, 2017


This guide will go over the process of capturing packets with wireshark remotely over ssh using tshark. To use this, you will be required to enable public key authentication to login via SSH and also have root access on the remote machine.

In order to follow this tutorial, you will need the following

  • Root Permissions on Remote Machine

  • Setup Public Key Authentication on Remote Machine for Root User

  • Wireshark

  • Update Package list

    Before installing any new packages, it is always good idea to update your package list. On a debian based machine using apt-get, you can do this by typing:
    sudo apt-get update

    For any machine using Yum
    sudo yum update

    Install TCPDump on Remote Machine

    The first thing you will need to do is to install TCPDump on the remote machine. On any debian based machine, you can install this using
    sudo apt-get install tcpdump

    On any other machine using yum as its package manager
    yum install tcpdump

    OPTIONAL-Capturing packets using TCPDump

    The next step is optional but will show you how to capture packets on the machine using tcpdump. The basic way of doing this is to type in the following command - Make sure to replace INTERFACE with the interface you would like to listen on. If you dont care, replace it with 'any'
    tcpdump -i INTERFACE

    This should then start capturing packets on the requested interface. If you would like to safe all packets the machine receives to a file, you can do so using this command.
    tcpdump -i any -w file.pcap

    For more detailed usage instructions, please checkout the manpage

    Capturing packets Remotely

    This command works by running tcpdump over ssh and having the output written into wireshark directly. You can then use wireshark as you normally would to analyse the packets or save them.
    ssh root@ -i /path/to/privatekey tcpdump -i INTERFACE -U -s0 -w - 'not port 22' | wireshark -k -i -

    Using this command, you will need to make sure to update the ip address to that of the remote system along with the path to the private key. You should also change INTERFACE as mentioned in the section above. Also, the command will ignore all packets sent on port 22 (default for ssh). You may want to change this port or remove it all together.
    Bash Script

    I have written a bash script to automate this so you can run the file and supply the interface. The code for this is here although you can find the most up to date version on GitHub:
    if [[ -z $1 ]]; then
    echo "No interface supplied, using any instead"
    echo "Using $IFACE"

    ssh root@ -i /path/to/privatekey tcpdump -i $IFACE -U -s0 -w - 'not port 22' | wireshark -k -i -

    If you write this file yourself, make sure to make it executable.
    chmod +x remotePCAP.sh

    Alternatively, you can clone this directly from GitHub using this command:
    git clone https://github.com/wilson18/Remote-Packet-Capture-with-Wirehsark.git

    You can then execute this with the following from within its directory:
    ./remotePCAP.sh INTERFACE

    If you dont supply the interface, it will listen on all..