Freitag, 17. April 2015

Wireshark via remote

From time to time I like to gain a overview on what happens within the network of my virtual server. As I am a huge fan of Wireshark, this is my weapon of choice to do so.

A long time ago I started this investigations by creating a dumpfile on the remote host and copy them to my local machine.

But, that is really not the best way to do, so I want to share this litte shell command

ssh <username>@<remote_host> sudo tcpdump -s0 -w -  | wireshark -k -i -
 If you use Windows and Cygwin the Wireshark call would look like
 /cygdrive/c/Program\ Files/Wireshark/Wireshark.exe -k -i -
 
This leads to execution of the tcpdump on the remote host and the analyze via Wireshark on your local machine.

normally I use some options, as I want to reduce the traffic which is going through the wire. Of course you could filter within Wireshark, but why using so much bandwith

 sudo tcpdump -s0 -w - 'not port 22 and host <host> and not DNS'

  • not port 22: Well as my traffic is coing from port 22 also, it might be a good idea to not take a look
  • host <host>: I do not want to see all traffic in the network, only the traffic related to my own server
  • not DNS: Just an example, many tools (like Apache, MySQL, ClamAV) are performing DNS lookups, I do not want to see them
 There are some steps you should take before you can use the statement above
  • create an ssh key so you can login without password
  • add the user to the sudoers file, best with NOPASSWD option