Remote Wireshark capture

It’s easier than I thought to capture network traffic from a remote machine and display it in WireShark running on your local computer.

# one liner with named pipe
$ wireshark -k -i <(ssh root@ "tcpdump -s 0 -U -w - not port 22")

# more explicit version of named pipe
$ mkfifo p
$ ssh root@ "tcpdump -s 0 -U -w - not port 22" > p &
$ wireshark -k -i /tmp/p

# one liner with a normal pipe
$ ssh root@ "tcpdump -s 0 -U -w - not port 22" | wireshark -k -i -

All three variants are doing the same thing; they ssh into the remote host you want to monitor and fire up tcpdump to get the packet stream via SSH. Then wireshark is launched to read from the stream.

The official docs for this talk about using named pipes, which is what the first two versions do. The <(command) thing is a special bash syntax for creating a named pipe for you, it’s just a more concise version of explicitly using mkfifo. The last version using stdin also seems to work for me but the docs say “it is not clear whether it always works”. The only mysterious thing I can think of is buffering questions, but I don’t know why a named pipe would be better than a normal pipe for that.

The tcpdump command is a tiny bit subtle. It’s important to not capture ssh traffic, since we’re using ssh as the transport and that’d create a feedback loop. The other options are basically “capture everything and don’t buffer”.