Skip to content

Instantly share code, notes, and snippets.

@quyenlv
Last active April 24, 2024 09:24
Show Gist options
  • Save quyenlv/c37352884782b5d2da984f928487a44b to your computer and use it in GitHub Desktop.
Save quyenlv/c37352884782b5d2da984f928487a44b to your computer and use it in GitHub Desktop.
Remote capturing packet with tcpdump and wireshark.

Topology

+------------------+                    +----------------------+
|   Local host     |  tcpdump over ssh  |    Remote Host       |
|                  |--------------------|                      |\ eth0
| +--------------+ |--------------------|                      |/
| |   Wireshark  | |                    |  tcpdump -i eth0...  |
| |--------------| |                    +----------------------+
| |              | |
| |              | |
| +--------------+ |
|                  |
+------------------+

Remote Host

  • Allow to run tcpdump without entering password, by sudo visudo:
username ALL = (ALL) NOPASSWD: /usr/sbin/tcpdump

Local Host

  • Generate a new keypair you run the following command:
ssh-keygen -t rsa
  • Copyping the public RSA to the remote host to login without entering password:
ssh-copy-id -i ~/.ssh/id_rsa.pub user_name@remote_host_ip
  • Run tcpdump over ssh on your remote machine and redirect the packets to the named pipe:
wireshark -k -i <( ssh user_name@remote_host_ip sudo tcpdump -s 0 -U -n -w - -i eth0 port 53 )
  • Test by performing ping google.com on the remote machine, you will see the DNS packets in remote machine's Wireshark.

Reference

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment