I frequently find myself in the situation of having to capture a network trace
on a remate machine to analyze traffic. Running tcpdump or tshark alone
feels limiting, as you cannot filter interactively or see packet details (or
at least I don’t know how). Opening an X connection is either not possible or
feasible, e.g., because of a slow network.
To work around these limitations, this is what I use:
ssh HOST "tcpdump -s0 -U -n -iany -w - 'FILTER'" | wireshark -k -i -
where you have to replace HOST with the IP address or hostname, and add a
capture filter FILTER (at least not port 22 to not see the SSH traffic).
Additional options are:
-s0: the default packet snapshot length (can probably be omitted) to not truncate packets-U: write to stdout “packet-buffered” (print each packet immediately)-n: not convert addresses to names-iany:anyinterface (could be used to limit to an interface
Wireshark receives it through stdin (-i -), starting the capture immediately
(-k).
You could use a named pipe to persist the pipe and restart SSH, but I like to stop everything with ^C and start all over.
Sometimes tcpdump cannot be run on the remote host (note that I don’t use
sudo above). In these cases I use these steps
to make it run without sudo. Be aware that this might not necessarily the
correct way (because I don’t know for sure). Below are the full steps, so I can
copy them in the future:
sudo groupadd pcap
sudo usermod -a -G pcap $USER
sudo chgrp pcap /usr/sbin/tcpdump
sudo chmod 750 /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump