Skip to content

Instantly share code, notes, and snippets.

@michele-tn

michele-tn/remote-capture-packet-simple.md

Last active May 6, 2025 12:44
Show Gist options
  • Save michele-tn/a591525fb4d4171e328cdcc49e2ac051 to your computer and use it in GitHub Desktop.
Save michele-tn/a591525fb4d4171e328cdcc49e2ac051 to your computer and use it in GitHub Desktop.
Download ZIP
Wireshark Tcpdump Remote Capturing!
Raw
remote-capture-packet-simple.md

Topology

+------------------+                    +----------------------+
|   Local host     |  tcpdump over ssh  |    Remote Host       |
|                  |--------------------|                      |\ eth0
| +--------------+ |--------------------|                      |/
| |   Wireshark  | |                    |  tcpdump -i eth0...  |
| |--------------| |                    +----------------------+
| |              | |
| |              | |
| +--------------+ |
|                  |
+------------------+

Remote Host

  • Allow to run tcpdump without entering password, by sudo visudo:
    username ALL = (ALL) NOPASSWD: /usr/sbin/tcpdump

Local Host

  • Generate a new keypair you run the following command:
    ssh-keygen -t rsa
  • Copyping the public RSA to the remote host to login without entering password:
    ssh-copy-id -i ~/.ssh/id_rsa.pub user_name@remote_host_ip
  • Run tcpdump over ssh on your remote machine and redirect the packets to the named pipe:
    wireshark -k -i <( ssh user_name@remote_host_ip sudo tcpdump -s 0 -U -n -w - -i eth0 port 53 )

Description: Capture DNS Traffic Using tcpdump

The following tcpdump command captures all DNS (port 53) traffic on the eth0 interface and writes it in binary format to standard output.

Command

tcpdump -s 0 -U -n -w - -i eth0 port 53

Options Explained

  • -s 0: Sets the snapshot length to unlimited, ensuring the full packet is captured.
  • -U: Writes packet data to the output as it is captured (unbuffered).
  • -n: Disables DNS resolution for faster and cleaner output.
  • -w -: Writes the raw packet output to standard output (stdout).
  • -i eth0: Specifies the network interface to capture traffic from.
  • port 53: Filters the capture to only include traffic on port 53 (DNS).

Usage

This command is useful for real-time DNS traffic monitoring or piping the binary output to another tool for analysis (e.g., Wireshark, Tshark, or saving to file):

tcpdump -s 0 -U -n -w - -i eth0 port 53 | tee dns_capture.pcap

⚠️ Ensure you have appropriate permissions (e.g., run with sudo) to capture packets on the specified interface.

Another example..

    ssh root@host "tcpdump -U -w - 'not (host YOUR_HOST_WIRESHARK and tcp port 22)'" | wireshark -k -i -

Wireshark Tcpdump Remote Capturing!

  • Test by performing ping google.com on the remote machine, you will see the DNS packets in remote machine's Wireshark.

Reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment