I can sniff the traffic of my local pc but I would like to know how to I sniff the traffic of a remote machine by wireshark?
When in capture option I select remote interface and enter my remote ip show me error.code(10061). What should I do?
I can sniff the traffic of my local pc but I would like to know how to I sniff the traffic of a remote machine by wireshark?
When in capture option I select remote interface and enter my remote ip show me error.code(10061). What should I do?
On Linux and OSX you can achieve this by running tcpdump over ssh and having wireshark listen on the pipe.
Create a named pipe:
$ mkfifo /tmp/remote
Start wireshark from the command line
$ wireshark -k -i /tmp/remote
Run tcpdump over ssh on your remote machine and redirect the packets to the named pipe:
$ ssh root@firewall "tcpdump -s 0 -U -n -w - -i eth0 not port 22" > /tmp/remote
Source: http://blog.nielshorn.net/2010/02/using-wireshark-with-remote-capturing/
I use this oneliner as root. Is very useful!
ssh root@sniff_server_ip -p port tcpdump -U -s0 'not port 22' -i eth0 -w - | wireshark -k -i -
The last
-
before de|
is the redirection of that output and is used to standard input by wireshark. The-k
option in wireshark means "start inmidiately sniffingOne approach is to use what's called a mirror or span port on your switch. If your switch isn't inteligent enough you can also put a small hub inbetween the switch/host-to-capture connection. You connect a physical link from your listening host to that port/hub and then you can see all the traffic crossing the device. Alternatively, you'll need to install your packet capture software in a more strategic location in your network like a border firewall/router.
You can use a file descriptor to connect to and receive the packets by
ssh
and pipe it to wireshark locally:wireshark -i <(ssh root@firewall tcpdump -s 0 -U -n -w - -i eth0 not port 22)
You wireshark will open and show you the "Interface" like
/dev/fd/63
, which is the file descriptor containing data from the remote system.Under RHEL, konrad's answer didn't work for me because
tcpdump
requires root, and I only have sudo access. What did work was to create an extra remote fifo that I can read from:and send the data by a separate connection:
and finally start Wireshark
see info on setting up the remote computer, to allow your local machine to connect and capture
http://wiki.wireshark.org/CaptureSetup/WinPcapRemote
In addition to previous answers, version with netcat
nc
might be useful as well:Remote host:
mkfifo /tmp/mypcap.fifo
tcpdump -i em0 -s 0 -U -w - > /tmp/mypcap.fifo
nc -l 10000 < /tmp/mypcap.fifo
Local host:
wireshark -ki <(nc 192.168.1.1 10000)
Note about this method: It makes unsecure port open to all interfaces, so make sure to filter incoming connections with firewall rules.
You can only sniff traffic that makes it to you. So Joe A going to Joe B never comes near your PC, so you can't see it.
Only way is for you to get to the traffic or get the traffic to you. To get to the traffic requires a connection to a router or good switch or hub somewhere in the middle of their connection. To get the traffic to you, you'll need to ARP poison some of the switches so they think your them.