Wireshark and Tshark
Jump to navigation
Jump to search
There are various ways to tap a Wireshark to a linux instance in order to observe live communication. Here below I am utilising named-pipes where tcpdump is redirecting its output to.
Prerequisites - Allow root SSH on Ubuntu Edit /etc/ssh/sshd_config to allow root password logins through ssh. As shown below, comment out #PermitRootLogin without-password and add PermitRootLogin yes.
# Authentication: LoginGraceTime 120 #PermitRootLogin without-password PermitRootLogin yes
Create named pipe on a system A where Wireshark is installed
sudo mkfifo /tmp/remote
Read from the pipe on system A to Wireshark
sudo wireshark -k -i /tmp/remote
Connect to system B as root user to a remote node then redirect tcpdump output to the named pipe over ssh to system A
ssh root@monior-this-host.com "tcpdump -s 0 -U -n -w - -i eth0 not port 22" > /tmp/remote