"Whenever you can, share. You never know who all will be able to see far away standing upon your shoulders!"
I write mainly on topics related to science and technology.
Sometimes, I create tools and animation.
Wireshark is one of the most commonly used tools for network packet capturing and analysis. And most of its beauty lies in its GUI.
On the other hand, it's mostly the headless Linux systems which are used for network management (e.g. routers).
While tools like tcpdump
, tcpflow
etc. on Linux systems provide a satisfactory way of analyzing network traffic, it would be really awesome if we can get the packets generated on Linux (or any remote machine) sent over to the system where Wireshark GUI is available (e.g. a Windows machine).
It is possible and actually fairly easy. But surprisingly there isn't a good resource available on Internet that tells how this can be done. Hence this article.
Basically, we'll be using nc
command on Linux to start a TCP server and hook it up to tcpdump
so that the output of tcpdump will be continually sent to the clients connected to the netcat
server.
Further, we'll do this in a way that a disconnection from client will not cause the server to stop thus making it available for future clients. The netcat
server will only be stopped by hitting Ctrl C
.
And we'll then use Wireshark as one of the TCP clients of this TCP server.
We need to run a netcat
TCP server and connect it to tcpdump
.
Depending upon your Linux flavor, the command may differ slightly.
On a busybox
machine that I used, this was the command.
This is what I'm doing in the command above:
netcat
listener (server) is started on port 58796.-ll
!-l
is used for the listener mode, but with -e
option (explained below), -ll
was to be used.IP:port
.-e
option tells netcat to run a command (everything that comes after -e
) on a connection with a client. So, everything starting with tcpdump
is run as such when a connection is made to the netcat
listener, and its output is consumed by the listener.--exec
may be the one to be used.tcpdump
arguments used above are fairly simple and can be looked up easily on internet.<hostname>
. You'll have to change the options and arguments as per your need.Running nc
like this ensures that netcat
runs forever and doesn't stop when a client disconnects - which happens if you, e.g., run it using a pipe like this:
Here we have to tell Wireshark to use a TCP socket as its interface.
The key point to note is that Wireshark will act as a TCP client and will want to connect to a server. This is the reason why we had to start netcat
on the remote machine in the listener (server) and not in the client mode.
Also, with this arrangement, there is no need of creating any local pipes etc. (as is suggested at few places).
This is as simple and elegant as it could be, you are welcome!
I couldn't find a way to add TCP details in Wireshark via its GUI, and even if it's possible, most probably it would not persist.
So, we go to the location (in terminal on Linux or MacOS and cmd
on Windows) where Wireshark is installed and simply run this command (using the actual IP of the remote machine).
-i
tells Wireshark to use the provided interface.-k
causes it to start capturing immediately after starting.
Once you run the above-mentioned command, Wireshark GUI will pop up, and from that point onward, you may stop and start Wireshark any number of times.
Just remember to not close Wireshark, or the TCP details will be lost. In that case, simply run the Wireshark command again.
Happy sniffing!
Return to Coding and Development - Reference and Tools