I'm looking to capture packets from a remote server network interface.
The remote server is running CentOS and has tshark installed.
I'm working on a Windows 8 machine with Wireshark installed.
I've found this brief tutorial, but it's more for the home user. I've no UI on my server so I need to do all setup in the terminal over ssh.
I also found this question, but id doesn't seem complete or correct.
I'm looking to capture all incoming data on a particular port, but I can figure that bit out easily enough. It's getting the capture itself working that's the main issue.
Also, does capturing remotely mean that the data won't be saved on the remote server itself? Or will it be saved on both my laptop and the server?
Best Answer
you can capture several packet on remote server by tcpdump, saving it to local disk. then download saved dump to your computer through ssh/sftp/scp and then open downloaded file in wireshark.
first, you should install tcpdump:
yum install -y tcpdump. after sucessfully install, you can start capture:tcpdump -с 10 -s 0 -w filename.dump -nnni any port 18123. this command will capture ten packets from or to port 18123 and save this packets to filefilename.dump.also, you can remove key
-c 10from tcpdump command line. in this case tcpdump will capture all data on port 18123, until ctrl-c pressed.