Remote capture using wireshark:
First of, Create the pipe
my@desktop:~$ mkfifo /tmp/pipes/cap_fw
“/tmp/pipes/” is where I create my pipes, feel free to use whatever directory you prefer.
“cap_fw” is the name of the pipe I selected.
Start tcpdump remotely with ssh from the desktop where you have wireshark installed:
my@desktop:~$ ssh root@<firewall> "tcpdump -s 0 -U -n -w - -i eth1 not port 22" > /tmp/pipes/cap_fw
Replace <firewall> with the name or ip address of your remote server.
The options I used are:
-s 0 : use the required length to catch whole packets
-U : packet-buffering – write packet to pipe as soon as it is captured (as opposed to waiting for the buffer to fill)
-n : no address-to-name conversion (you can let wireshark do this if you want)
-w - : write output to standard output
-i eth1 : capture from interface eth1 – change to match your setup
not port 22 : leave out any packets from / to port 22. This is needed as we use ssh to connect to out firewall, so that we don’t capture the captured packets again… If you need to examine port 22 on your server, use ssh over an alternative port.
> /tmp/pipes/cap_fw : redirect the output to our pipe.
While tcpdump is capturing packets and sending them to the pipe, open another terminal, start wireshark and use the pipe as the input
my@desktop:~$ wireshark -k -i /tmp/pipes/cap_fw
Here the options mean:
-k : start immediately
-i /tmp/pipes/cap_fw : use our pipe as the “interface”
And you’re up and running!