🦈wireshark remote capture

it is possible to do a live packet capure on a remote linux machine and process it live in wireshark on a windows machine.

you need to have wireshark and plink (comes with putty) installed.

To get a remote packet capture from a linux computer to a windows machine running wireshark:

plink user@host -batch -P 222 "sudo tshark -i eth1 -w - " | "c:\Program Files\Wireshark\Wireshark.exe" -k -i -

• plink: windows executable that create’s an ssh link
• user@host: ssh user and host
• -batch: no questions asked
• -P: used port
• sudo tshark -i eth1 -w - : with sudo execute tshark on the remote server, listening on interface eth0 and -w write the output to stdout
• pipe the output of the remote ssh command to wireshark
• -i -: use stdin as input for wireshark

• network
• wireshark
• linux
• windows
• ssh