tcpdump on remote host

remote-tcpdump.md

Running tcpdump on remote hosts with no storage

If you have tcpdump on your embedded home router and you want to see what traffic your crippled phone is doing, you can dump traffic on the router and visualise it on your main workstation using wireshark.

Ensure that you can log on to the remote host without a password, e.g. by using SSH keys.

1. On the remote host, create a FIFO

remotehost# mkfifo /tmp/tcpdump

2. On the local host, ssh to the remote and start reading from the FIFO, and pipe its contents straight to wireshark.

localhost# ssh remotehost cat /tmp/tcpdump | wireshark -ki -

3. On the remote host, start capturing and write to the FIFO. Of course replace the capture interface and/or add a capture filter as needed.

remotehost# tcpdump -s0 -Uni eth0 -vvv -w /tmp/tcpdump

Enjoy

Sorry, does not work.
"localhost# ssh remotehost cat /tmp/tcpdump | wireshark -ki -" opens wireshark, but does not CAT the remotefile, as it seems like it does not even login to the remote host, as no password is asked. When entering "localhost# ssh remotehost cat /tmp/tcpdump" I'm asked for the password and see the dump, but no wireshark.

Sorry, does not work. "localhost# ssh remotehost cat /tmp/tcpdump | wireshark -ki -" opens wireshark, but does not CAT the remotefile, as it seems like it does not even login to the remote host, as no password is asked.

Hi, I was implying that you are able to log on to the remote host without providing a password, e.g. by using SSH keys. I've updated the gist to include this requirement.

Thanks!

Got you. Thanks. I'm now starting the followign command on my MacBook (192.168.19.243) to capture internal traffic from my Ubiquiti Gateway (192.168.19.1). Works pretty well:
ssh [email protected] 'tcpdump -f -i br0 -w - not host 192.168.19.243' | wireshark -k -i -

Glad to hear it! Cheers!