Filed Under (Bash, Linux, Tips & tricks) by 2of1 on 24-04-2014
A neat trick I picked up somewhere on the Internet (sorry for not referencing, I simply don’t remember which site I stole it from ).
In embedded work, one often has headless access to a target device off which one wants to sniff network packets. As Wireshark is so nice to use – and everything else is not – I’ve been using tcpdump on the target to dump traffic into a pcap file and then transferring it and dissecting it offline. Turns out this is just plain dumb and that one can simply have tcpdump pipe the captures packets live to a remote Wireshark session.
All we have to to is create a FIFO file, run tcpdump remotely and have it output raw data to stdout, write stdout to the FIFO and have Wireshark pull from the FIFO:
#!/bin/bash # usage(): ./sniff_remote.sh <target ip> <ssh passwd> mkfifo /tmp/pipe sshpass -p "$2" ssh root@$1 "tcpdump -nn -w - -U -s 0 -w - not port 22" > /tmp/pipe & wireshark -k -i /tmp/pipe