I was looking for a reliable way to use Wireshark to monitor(sniff) traffic on several of my remote servers. Sure there was using tcpdump and then transferring them over and bringing into Wireshark. Not exactly real time or time saving.
I found some references but not many, and most did not cover the issue of sending pcaps back across insecure connections. You can’t trust Uncle Sam (or anyone else for that matter) to not peek at your traffic as it passes through peering points. Eat it, Mr. Fed. Encryption rocks.
I solved this issue with some port forwarding and netcat. SSH is incredibly resilient to connectivity interruptions and secure.
You’re going to need to have the following packages installed on both the server and your local workstation. Use apt-get, yum, aptitude, whatever your distribution warrants.
- netcat (http://netcat.sourceforge.net/)
- ssh (http://www.openssh.com/)
Wireshark is only needed on your local workstation;
- Wireshark (http://www.wireshark.org/)
We have two machines, one the remote host, we’ll call this REMOTE and your local workstation will be LOCAL
At your LOCAL machine, use the following command to setup the necessary ports;
ssh -R 127.0.0.1:3000:127.0.0.1:3000 $REMOTE
Basically, we’re telling ssh to forward port 3000 on localhost on REMOTE to LOCAL at port 3000. You can choose any combination of ports you desire. Check the ssh man page for more information and a better explanation.
Open a new terminal window on LOCAL and enter the following;
nc -l 127.0.0.1 3000 | wireshark -k -i -
So what we’ve done here is create a listening socket on LOCAL’s localhost on port 3000 and we’re piping that output to wireshark, which we have told to begin capturing immediately ( -k ) and to use STDIN for input ( -i – ). You should see wireshark startup, and present a message along the lines of “Waiting for capture to begin…” or something. This is good.
Now we can wander back to REMOTE and issue the following command;
sudo /usr/sbin/tcpdump -i eth0 -w - not host $YOUR_IP | nc 127.0.0.1 3000
Finally, we fire up tcpdump, instructing tcpdump to listen for traffic on eth0, to write it’s output to STDOUT ( -w – ) and to ignore packets that are to or from $YOUR_IP. We pipe that into netcat (nc) on localhost on port 3000.
At this point, Wireshark should begin to show signs of life. If you didn’t do so hot then you should double check the commands and try again.
So in a nutshell, we’re using SSH to reverse port forward a port from the remote machine to your local machine, then start a listening socket using netcat, piping it’s output to Wireshark. Back on the remote machine, tcpdump is started and the output piped to netcat to send over our SSH connection. How cool is that?
One point I forgot to mention, remember that you will effectively be doubling your traffic for as long as you’re running tcpdump, as you are sending a copy of EVERY packet across the SSH tunnel to Wireshark, well, really only packets that meet your filter criteria, but I’m sure you get the point.
