• networking
• wireshark

networking/wireshark

About

The world's leading network protocol analyzer

• https://www.wireshark.org/

Installation

Install wireshark

   1 apt install wireshark

Use

Live captures

Live read and follow an externally generated pcap file

   1 PCAP_FILE="/path/to/file.pcap"
   2 tail -f -c +0b "$PCAP_FILE" \
   3         | wireshark -k -i - \
   4                 --capture-comment "$PCAP_FILE \
   5                 -o "gui.window_title:$PCAP_FILE"
   6 

Some hints:

• Sudo pseudo-terminal (pty) allocation (-t) leads to the wrong magic code in the pipe and wireguard does not anymore recognize the pcap format.

  So the root account or a sudo :NOPASSWD account is necessary.

• Select the correct your capture interface

  Check tcpdump -D

• Please specify a filter to avoid multiplication of unwanted traffic on the line.
• The tcpdump output is buffered, so it may take some time to show up in wireshark.

Remote live capture with tcpdump and visualize it on local wireshark

   1 ### MINIMAL
   2 ssh target-fqdn -- \
   3         "sudo -- tcpdump -s 0 -i any -w - 'your filter" \
   4         | wireshark -k -i -
   5 
   6 ### LONG with window headers
   7 TARGET="target-fqdn"
   8 FILTER="your filter"
   9 ssh "$TARGET" -- \
  10         "sudo -- tcpdump -s 0 -i any -w - '$FILTER'" \
  11         | wireshark -k -i - \
  12                 --capture-comment "$TARGET '$FILTER'" \
  13                 -o "gui.window_title:$TARGET '$FILTER'"