SSH Capture

Capture from a remote machine
1 min |  Ross Jacobs |  April 4, 2019

Table of Contents

Getting a live capture over an ssh connection is a solved problem on all platforms. ssh works for this purpose on Linux, Macos, and WSL on Windows while Plink works for Windows PuTTY users. Briefly, I’ll go over what that looks like for ssh.

You can check that your ssh-key is loaded with ssh-add -L.

Initially, let’s set up variables for cleaner code. Replace each variable in <> with a value that works for you.

ssh_opts="<user>@<server> -p <port>"
remote_cmd="sudo /usr/sbin/tcpdump -s0 -n -w - not port <port>"
read_cmd="wireshark -k -i" -OR- "tshark -i"

We then have the option of piping directly:

ssh $ssh_opts $remote_cmd | $read_cmd -

Or using a named pipe:

mkfifo /tmp/capfifo
ssh $ssh_options $ssh_command > /tmp/capinfo &
$read_cmd /tmp/capfifo