shawnsi/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Remote Wireshark Capture over SSH

Prerequisites

Client

The client must have wireshark installed and be running Mac OS X or Linux.
Server

The server must have dumpcap (usually in the wireshark package) installed.
Usage

To connect to host server.domain.com:
$ sshcap server.domain.com
Additional filters (default is "not port 22") can be appended to the command.  For example, capture DNS like:
$ sshcap server.domain.com port 53

  
## sshcap.bash
function sshcap {
  # Sane default filter to prevent a feedback loop
  # Custom filters are always appended to this
  filter='not port 22'
  filter_args=${@:2}
  if [ -n "$filter_args" ]; then
    filter="not port 22 and $filter_args"
  fi

  echo "Using filter: $filter"

  # Options for dumpcap
  opts="-i any -w - -f '$filter' 2>/dev/null"

  # Hacky dumpcap path resolution via subshell
  dumpcap="sudo \$(which dumpcap 2>/dev/null || echo /usr/sbin/dumpcap) $opts"

  # This will try and use pcap legacy format compatibility if the flag is available
  # Otherwise the default format is used
  wireshark -k -i <(ssh -q $1 -C "$dumpcap -P || $dumpcap")
}
	function sshcap {
	# Sane default filter to prevent a feedback loop
	# Custom filters are always appended to this
	filter='not port 22'
	filter_args=${@:2}
	if [ -n "$filter_args" ]; then
	filter="not port 22 and $filter_args"
	fi

	echo "Using filter: $filter"

	# Options for dumpcap
	opts="-i any -w - -f '$filter' 2>/dev/null"

	# Hacky dumpcap path resolution via subshell
	dumpcap="sudo \$(which dumpcap 2>/dev/null \|\| echo /usr/sbin/dumpcap) $opts"

	# This will try and use pcap legacy format compatibility if the flag is available
	# Otherwise the default format is used
	wireshark -k -i <(ssh -q $1 -C "$dumpcap -P \|\| $dumpcap")
	}