How to process tcpdump live data stream from a remote machine on a local WireShark 1
Recently we needed to process the results of a tcpdump
command using the GUI version of WireShark
on machine that did not have a window manager installed. That device was an embedded device, for which it did not make sense to even consider installing a window manager on it. So, in order to process the results of the tcpdump
command we decided to use another machine that had a full working window manager installed and was able to operate the GUI version of WireShark
.
For our solution to work some requirements were expected to be met by the embedded device (a.k.a. remote machine).
tcpdump
was installed on the remote machinessh server
was installed on the remote machine and allowed us to connect to it remotely- there was a user that had remote ssh rights on the remote machine that also had the rights to execute
tcpdump
on the needed interfaces
Synopsis of our solution:
Just execute the following on the machine with the GUI (a.k.a. local machine)
mkfifo /tmp/board; wireshark -k -i /tmp/board & ssh [email protected] "tcpdump -s 0 -U -n -w - -i lo not port 22" > /tmp/board;
Explanation of our solution:
Following are the steps that we performed on the local machine to pipe
the results of tcpdump
on the remote machine on the wireshark
on the local machine.
- First we created a
named pipe
as follows:
mkfifo /tmp/board;
You can name yourpipe
anyway you like and place it in any folder you wish. We used/tmp
as ourpipe
is a temporary construct that we do not care to preserve across time/restarts. - Then we started
wireshark
from a terminal so that we could pass as capture interface thenamed pipe
we just created using the-i /tmp/board
parameter. The-k
parameter instructswireshark
to start the capture session immediately.
wireshark -k -i /tmp/board &
Since this operation was going to execute for a long time, we sent it to the background to release the terminal for further use by placing the&
symbol at the end of the command. - Finally, we started
tcpdump
overssh
on a board and redirected its output to ournamed pipe
.
ssh [email protected] "tcpdump -s 0 -U -n -w - -i lo not port 22" > /tmp/board;
The parameters we used ontcpdump
have the following effects:
-s 0
instructstcpdump
to set the snapshot length of data from each packet to the default value of262144
bytes.
-U
Since the-w
option is not specified, make the printed packet outputpacket-buffered
. Which means that it will print the description of the contents of each packet without waiting for the output buffer to get full.
-n
Does not convert host addresses to names. This can be used to avoid DNS lookups.
-w -
Write the raw packets toStandard Output
rather than parsing them.
-i lo
Defines which interface to listen on. We wanted the loopback interface to listen to everything.
not port 22
Since we usedssh
to start this command, we do not want to listen to the data that we produce as well and flood the inputs.