Live Wireshark session from remote machine

I was tasked to debug some network stack issues last week at work which required intercepting wireless traffic at the router. Previously, I would use my Macbook to share internet through an Ethernet port, and then open a Wireshark session on bridge100 to look at traffic this way.

However, this is usually a pain because the internet sharing feature tends to break for me which ends up in a reboot to resolve the issue, as well as having to mess with cables. We switched out the wireless router with one that was running OpenWRT with tcpdump installed, and other engineers used to ssh in, run tcpdump on the router, then copy the file down locally and then opening it up Wireshark.

I prefer to be able to see the packets live, so I hunted around and came across a fairly simple solution. You’ll need:

  • OS X or Linux. Cygwin might work but who knows? (or cares)
  • ssh access to remote machine
  • tcpdump and ability to access the appropriate interface on the remote machine
  • Wireshark installed locally

Run: wireshark -k -i <(ssh [remote machine] sudo tcpdump -i [interface name] -S -l -w - “[dump filter]”)

The dump filter is optional. If it worked correctly, you should see Wireshark pop up and packets start to come in. You may need to scroll to the bottom of the list before it starts to auto-scroll.

Enjoy!

Comments