Home / server / Questions / 1067059
In Process
BANJOSA
Asked: 2021-06-18 13:10:50 +0800 CST

Piping SSH to wireshark on windows

  • 772

In my day-to-day operations, I frequently need to execute tcpdump's on remote servers, and it's a pain to save the output to a file and then have to move the file to my laptop to analyze it on wireshark.

I was exploring the command below, and it works fine in linux

ssh <remote_host> sudo tcpdump -vv -i eth0 -U -w - | wireshark -k -i -

But, unfortunately, my work laptop that is provided by my company has windows on it, and they don't allow me to change to another OS. Given this restriction, I was trying to achieve the same result, but in windows...

If i execute the following command in windows in a powershell

ssh <remote_host> sudo tcpdump -vv -i eth0 -U -w - | 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -

I get this error

    At line:1 char:87
+ ...  -i eth0 -U -w - | 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -
+                                                                   ~~
Unexpected token '-k' in expression or statement.
At line:1 char:44
+ ...  -i eth0 -U -w - | 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -
+                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Expressions are only allowed as the first element of a pipeline.
At line:1 char:90
+ ...  -i eth0 -U -w - | 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -
+                                                                      ~~
Unexpected token '-i' in expression or statement.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken

If I execute the wireshark command without the ssh part I get the same error, but if I execute it like this

& 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -

It opens wireshark and waits for data input. With this in mind I tried to change the command to

ssh <remote_host> sudo tcpdump -vv -i eth0 -U -w - | & 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -

This way the ssh command gets executed and the tcpdump starts in the remote host, the wireshark never starts. What am I doing wrong? Why is the piped command that is most similar to the one in linux doesnt work in windows, is piping different?

powershell ssh tcpdump wireshark

1 Answers

  1. As mentioned by @Jasen in the comments, I attempted the command without using PowerShell but instead using Git Bash on Windows 10.

    #!/bin/bash
server=<remote-host>
iface="ens6"
ssh $server "tcpdump -s 0 -U -n -w - -i $iface not port 22" | wireshark -k -i -

    This script assumes you have GitBash and wireshark installed on your Windows machine, as well as the server and host communicating via public key authentication. Make sure you have root privileges when using tcpdump. Port 22 is explicitly ignored so ssh traffic is not visible during the packet sniffing session.

    • 0