+------------------+ +----------------------+ | Local host | tcpdump over ssh | Remote Host | | |--------------------| |\ eth0 | +--------------+ |--------------------| |/ | | Wireshark | | | tcpdump -i eth0... | | |--------------| | +----------------------+ | | | | | | | | | +--------------+ | | | +------------------+
- Allow to run tcpdump without entering password, by
sudo visudo:
username ALL = (ALL) NOPASSWD: /usr/sbin/tcpdump
- Create a named pipe:
mkfifo /tmp/remote
- Start wireshark from the command line:
wireshark -k -i /tmp/remote
- Run tcpdump over ssh on your remote machine and redirect the packets to the named pipe:
ssh username@remote_host_ip "sudo tcpdump -s 0 -U -n -w - -i eth0 port 53" > /tmp/remote
- Test by performing
ping google.comon the remote machine, you will see the DNS packets in remote machine's Wireshark.
- https://serverfault.com/questions/362529/how-can-i-sniff-the-traffic-of-remote-machine-with-wireshark
- https://wiki.wireshark.org/CaptureSetup/Pipes
- https://www.howtoforge.com/wireshark-remote-capturing
- https://unix.stackexchange.com/questions/395776/how-to-remote-execute-ssh-command-a-sudo-command-without-password