Remote packet capture using WireShark & tcpdump


1. First step is to create a special FIFO file using mkfifo command, where you want to see the packet capture using WireShark. This file will use to read & write simultaneously using WireShark & tcpdump.

mkfifo /tmp/packet_capture

2. Second give the following ssh command on your terminal, to start the tcpdump on remote PC.

ssh hostname_or_ip_of_remote_pc "tcpdump -s 0 -U -n -w - -i eth0 not port 22" \
 > /tmp/packet_capture

3. Third & last step, give the following command to start the WireShark on your PC, which will read packets from the special FIFO file ‘/tmp/packet_capture’ at runtime.

wireshark -k -i /tmp/packet_capture

After giving the above command all the packets of remote pc’s eth0 will be visible on WireShark.

About these ads

6 thoughts on “Remote packet capture using WireShark & tcpdump

  1. Pingback: 2010 in review « Linux Explore

  2. Pingback: Jason Antman’s Blog » Using wireshark to capture packets from a remote host

  3. Pingback: Use tcpdump to capture in a pcap file (wireshark dump) « Linux Explore

  4. Pingback: Use tcpdump to capture in a pcap file (wireshark dump) | Linux Explore

  5. Pingback: How can I read pcap files in a friendly format? - Just just easy answers

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s