Remote packet capture using WireShark & tcpdump

/ May 30, 2010

1. First step is to create a special FIFO file using mkfifo command, where you want to see the packet capture using WireShark. This file will use to read & write simultaneously using WireShark & tcpdump.

mkfifo /tmp/packet_capture

2. Second give the following ssh command on your terminal, to start the tcpdump on remote PC.

ssh hostname_or_ip_of_remote_pc "tcpdump -s 0 -U -n -w - -i eth0 not port 22" 
 > /tmp/packet_capture

3. Third & last step, give the following command to start the WireShark on your PC, which will read packets from the special FIFO file ‘/tmp/packet_capture’ at runtime.

wireshark -k -i /tmp/packet_capture

After giving the above command all the packets of remote pc’s eth0 will be visible on WireShark.

Related posts

6 thoughts on “Remote packet capture using WireShark & tcpdump

  1. Pingback: 2010 in review « Linux Explore

  2. Pingback: Jason Antman’s Blog » Using wireshark to capture packets from a remote host

  3. Pingback: Use tcpdump to capture in a pcap file (wireshark dump) « Linux Explore

  4. Pingback: Use tcpdump to capture in a pcap file (wireshark dump) | Linux Explore

  6. Pingback: How can I read pcap files in a friendly format? - Just just easy answers

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>