2022-11-12

Live Remote Packet Analysis

WireShark and TcpDump over SSH

Quick and dirty bash script to start TCPDump on remote host and shovel the data back to WireShark over SSH.

Note: Don't do this over links that are already saturated, and ESPECIALLY not on networks running deterministic and/or real time systems/processes.
 

 

How to use

The script is rather simple but may take up to 5 inputs

.\WoS.sh RemoteHost RemoteInterface RemotePort RemoteUser RemoteKey

Only the first is required. However they all are:

RemoteHost: The host you want to capture packets on.

RemoteInterface: The interface on the remote host on which you want to capture packets. Uses "any" if not specified.

RemotePort: The SSH port. Uses Port 22 if not specified.

RemoteUser: The user that runs tcpdump on RemoteHost.

RemoteKey: The SSH needed to access RemoteHost

Prerequisites

You'll need the following on these systems, respectively:
Remote Host: tcpdump
Install with sudo apt -y install tcpdump, sudo yum install tcpdump, sudo pacman -S tcpdump, or whatever works on your distro.

Your System: WireShark (and SSH).
See above, however replace tcpdump with wireshark.

BASH Script on GitHub

No comments: