Using SSH, Wireshark and tshark to remotely analyze packets…

At home I use ClearOS (free) as my firewall/gateway. The one thing that ClearOS lacks is a graphical packet analyzer. However, the combined use of SSH, Wireshark and tshark solves this problem perfectly.

Our first step is to setup a passwordless SSH environment on our local host. To do this, we just need to follow three simple steps:

1. Create the public and private keys on our local host

$ssh-keygen

2. Copy the public key to the remote host

$ ssh-copy-id -i ~/.ssh/id_rsa.pub remote-host-ip

3. Login to the remote host without a password to verify it worked

$ssh root@remote-host-ip

Now that we have a passwordless SSH environment and are logged in, we can move on to installing tshark on our remote host. On ClearOS, we have to do this by installing the ‘wireshark’ package:

$yum install wireshark

Next we need to install Wireshark on our local host (I use Ubuntu):

$sudo apt-get install wireshark

Great! Now it’s time to login to our remote host using SSH, issue a command to start tshark and write the captured packets back to stdout which is then piped into Wireshark on our local host. Don’t worry. Thanks to our above preparations, we can do this all in one easy command:

$ssh root@remote-host-ip 'tshark -f "port !22" -i any -w -' | wireshark -k -i -

That’s it! After issuing this command, you should be looking at the traffic of the remote host.

For a list of other one-liner commands that accomplish the same as the above, please visit http://www.commandlinefu.com/commands/view/4373/analyze-traffic-remotely-over-ssh-w-wireshark

Comments are closed.