Live Wireshark session from remote machine
I was tasked to debug some network stack issues last week at work which required intercepting wireless traffic at the router. Previously, I would use my Macbook to share internet through an Ethernet port, and then open a Wireshark session on
bridge100 to look at traffic this way.
However, this is usually a pain because the internet sharing feature tends to break for me which ends up in a reboot to resolve the issue, as well as having to mess with cables. We switched out the wireless router with one that was running OpenWRT with
tcpdump installed, and other engineers used to ssh in, run
tcpdump on the router, then copy the file down locally and then opening it up Wireshark.
I prefer to be able to see the packets live, so I hunted around and came across a fairly simple solution. You’ll need:
- OS X or Linux. Cygwin might work but who knows? (or cares)
- ssh access to remote machine
tcpdumpand ability to access the appropriate interface on the remote machine
- Wireshark installed locally
wireshark -k -i <(ssh [remote machine] sudo tcpdump -i [interface name] -S -l -w - “[dump filter]”)
The dump filter is optional. If it worked correctly, you should see Wireshark pop up and packets start to come in. You may need to scroll to the bottom of the list before it starts to auto-scroll.