top | item 19725438

(no title)

psophis | 6 years ago

This is very cool. Though I’ve always done remote wireshark captures:

    ssh root@sniff_server_ip -p port tcpdump -U -s0 'not port 22' -i eth0 -w - | wireshark -k -i -

Source: https://serverfault.com/questions/362529/how-can-i-sniff-the...

It works very well on low volume captures.

discuss

turrini|6 years ago

I've made a simple script based on your example:

wirelive.sh:

  #!/bin/bash
  
  if [[ -z "$1" ]]; then
      echo -e "Usage: $(basename $0) <host[:port]> <interface> [filters]"
      exit
  fi
  
  ssh_host=$(echo $1 | cut -d: -f1)
  ssh_port=$(echo $1 | cut -s -d: -f2)
  [[ -z "$ssh_port" ]] && ssh_port=22
  [[ -z "$2" ]] && tcpdump_interface="any" || tcpdump_interface="$2"
  [[ ! -z "$3" ]] && tcpdump_filters="and \($3\)"
  
  ssh root@${ssh_host} -p ${ssh_port} \
      tcpdump -U -s0 "not port ${ssh_port} ${tcpdump_filters}" -i ${tcpdump_interface} -w - \
      | wireshark -k -i -

pstuart|6 years ago

nice, but a small nit: you don't need to quote variables inside bash double brackets.

neilv|6 years ago

This method even worked for Wiresharking all PS3 traffic in real time for a GTA Online session, running the tcpdump on a little plastic old mipsel SoC OpenWrt router that was also doing all the routing (not a passive sniffing box), without noticeable effect on gameplay. (I was trying to detect cheaters.)

BTW, for anyone new to tcpdump, you can also specify selectors/filtering on the command line, to reduce the traffic. The filtering in Wireshark is on top of that.

kayoone|6 years ago

online games are pretty low volume though, data is usually transmitted at a few Kbps per player. Just out of interest, how did you try to spot cheaters doing that?

unknown|6 years ago

[deleted]

iammeow|6 years ago

Came here to write the very same command. I only use -l instead of -U. In Windows using WSL I use something like this:

  ssh root@remotehost "tcpdump -i eth1 -s0 -l -w - 'udp'" | /mnt/c/Program\ Files/Wireshark/Wireshark.exe -k -i -

kees99|6 years ago

Option "-l" only supposed to be used with text output. When mis-applied to binary (-w) output, it will:

- On Linux, flush buffer at wrong places, breaking last (few) packet(s);

- On Windows, flush buffer after every byte (which gives acceptable result, but is very inefficient).

With "-w", always use "-U" instead.

ssebastianj|6 years ago

Indeed, this method is cool. It allowed me to sniff the traffic between some poorly documented IoT device and a remote server (unencrypted, what else) via OpenWrt:

[0] https://openwrt.org/docs/guide-user/firewall/misc/tcpdump_wi...

kevintb|6 years ago

ah, very handy!