Remote Packet Capture using Wireshark

capturelinuxpacketwindowswireshark

Well The scenario is that I have a Windows machine(at home) and a Linux box running headless Ubuntu server(without GUI) on a remote location.
I got Wireshark installed on my windows machine, and tcpdump installed on the remote linux box.
Here is my question, Is there an easy way of capturing packets off of my linux box? I've been reading through some blog posts, didn't really find an easy way of configuring either tcpdump of Tshark so I could remotely monitor the network traffic.
I also realized that it is easy to capture packets remotely off a remote windows machine with simple remoter interface configuration.
I was wondering if there's a similar way so I could configure my remote located linux box to listen on port 2002 and start capturing remotely here in my windows mahcine?
Any advice?

Best Answer

Install cygwin or better yet install Linux at home.
ssh root@remotelinuxbox.com "tcpdump -I eth0 | grep -v 'home ip address' "

Keep in mind that whatever solution requires that you do not log the packets to the logserver because that would make an infinite loop. trace a packet from node Z and then send packet trace to node L (LogServer). Send packet trace to node L. Send another packet trace of the packet trace sento node L.... ad infinitum.

If you have more than one network interface on RemoteLinux, then trace everything on one interface and send the packet traces out the other interface to your windows box.

Related Solutions

Wireshark only captures packets to or from this device

I believe you could solve your problem with airmon-ng (this should be installed by default on Kali).

Answer provided by Kurt Knochner on ask.wireshark.org Source

ifconfig -a

Do you see a wlan0 or wlan1 interface?

If no, your wireless card is not recognized by your kernel and there is nothing Wireshark can do about it. Stop here and ask the the people in the user forum of your Linux distribution (Ubuntu, Fedora, etc.) how to add a working driver for your wireless card.

If you do see wlan0/1, proceed with

sudo airmon-ng start wlan0

sudo airmon-ng start wlan1

depending on which wireless interface you want to capture. That command should report the following message:

monitor mode enabled on mon0

Now, capture on mon0 with tcpdump and/or dumpcap.

sudo tcpdump -ni mon0 -w /var/tmp/wlan.pcap

sudo dumpcap -ni mon0 -w /var/tmp/wlan.pcap

Then open that file with Wireshark

wireshark -nr /var/tmp/wlan.pcap

Linux – How to set up remote capturing in Wireshark, capturing from a CentOS server on the Windows laptop

you can capture several packet on remote server by tcpdump, saving it to local disk. then download saved dump to your computer through ssh/sftp/scp and then open downloaded file in wireshark.

first, you should install tcpdump: yum install -y tcpdump. after sucessfully install, you can start capture: tcpdump -с 10 -s 0 -w filename.dump -nnni any port 18123. this command will capture ten packets from or to port 18123 and save this packets to file filename.dump.

also, you can remove key -c 10 from tcpdump command line. in this case tcpdump will capture all data on port 18123, until ctrl-c pressed.

Best Answer

Related Solutions

Wireshark only captures packets to or from this device

Linux – How to set up remote capturing in Wireshark, capturing from a CentOS server on the Windows laptop

Related Question