The client must have wireshark installed and be running Mac OS X or Linux.
The server must have dumpcap (usually in the wireshark package) installed.
To connect to host server.domain.com:
$ sshcap server.domain.comAdditional filters (default is "not port 22") can be appended to the command. For example, capture DNS like:
$ sshcap server.domain.com port 53| function sshcap { | |
| # Sane default filter to prevent a feedback loop | |
| # Custom filters are always appended to this | |
| filter='not port 22' | |
| filter_args=${@:2} | |
| if [ -n "$filter_args" ]; then | |
| filter="not port 22 and $filter_args" | |
| fi | |
| echo "Using filter: $filter" | |
| # Options for dumpcap | |
| opts="-i any -w - -f '$filter' 2>/dev/null" | |
| # Hacky dumpcap path resolution via subshell | |
| dumpcap="sudo \$(which dumpcap 2>/dev/null || echo /usr/sbin/dumpcap) $opts" | |
| # This will try and use pcap legacy format compatibility if the flag is available | |
| # Otherwise the default format is used | |
| wireshark -k -i <(ssh -q $1 -C "$dumpcap -P || $dumpcap") | |
| } |