Loading...
Random Pearls Random Pearls New Menu
  • All Pearls
    • Random Pearls
  • Coding and Development - Reference …
    • Coding and Development - Reference …  (parent page)
    • Information Technology  (parent page of Coding and Development - Reference …)
  • New Menu
  • Authors
  •  
  • Contact Us
  • Sign up
  • Login
    Forgot Password?
  • Follow us on
Image Back to Top Back to top
Language Preference
This website has language specific content. Here you can set the language(s) of your preference.

This setting does not affect the current page. It is used only for filtering pages in menus, preview tiles and search results.

It can be changed any time by using the login menu (if you are logged in) or by clicking the Language button on the left bottom of the page.
Log in to save your preference permanently.



If you do not set this preference, you may see a header like This page has 'language_name' content in page preview tiles.
Search
  • Navigation
  • Similar
  • Author
  • More...
You are here:
All Content / Science and Technology / Information Technology / Coding and Development - Reference … / Wireshark - analyze on GUI Live Packets from Remote …
Table of Contents

Subscribe to Our Newsletter
Follow us by subscribing to our newsletter and navigate to the newly added content on this website directly from your inbox!
Login to subscribe to this page.
Categories  
Tags  
Author  
manisar
Author's Display Image

"Whenever you can, share. You never know who all will be able to see far away standing upon your shoulders!"

I write mainly on topics related to science and technology.

Sometimes, I create tools and animation.


Wireshark - analyze on GUI Live Packets from Remote Machine

April 21, 2023

Author - manisar


Wireshark is one of the most commonly used tools for network packet capturing and analysis. And most of its beauty lies in its GUI.

On the other hand, it's mostly the headless Linux systems which are used for network management (e.g. routers).

While tools like tcpdump, tcpflow etc. on Linux systems provide a satisfactory way of analyzing network traffic, it would be really awesome if we can get the packets generated on Linux (or any remote machine) sent over to the system where Wireshark GUI is available (e.g. a Windows machine).

It is possible and actually fairly easy. But surprisingly there isn't a good resource available on Internet that tells how this can be done. Hence this article.

Tools Used

  • Wireshark
  • tcpdump
  • netcat (nc)

Basically, we'll be using nc command on Linux to start a TCP server and hook it up to tcpdump so that the output of tcpdump will be continually sent to the clients connected to the netcat server.

Further, we'll do this in a way that a disconnection from client will not cause the server to stop thus making it available for future clients. The netcat server will only be stopped by hitting Ctrl C.

And we'll then use Wireshark as one of the TCP clients of this TCP server.

On the Linux Machine

We need to run a netcat TCP server and connect it to tcpdump.

Depending upon your Linux flavor, the command may differ slightly.

On a busybox machine that I used, this was the command.

nc -ll -p 58796 -e tcpdump -s 0 -w - -n -i any host <hostname>

This is what I'm doing in the command above:

  • A netcat listener (server) is started on port 58796.
    Busybox, painfully, did not allow using IP before port with -ll!
    Generally -l is used for the listener mode, but with -e option (explained below), -ll was to be used.
    You may try the format IP:port.

  • The -e option tells netcat to run a command (everything that comes after -e) on a connection with a client. So, everything starting with tcpdump is run as such when a connection is made to the netcat listener, and its output is consumed by the listener.
    On some systems, --exec may be the one to be used.

    tcpdump arguments used above are fairly simple and can be looked up easily on internet.
    Here, I'm listening to packets (on all interfaces) related to <hostname>. You'll have to change the options and arguments as per your need.

Running nc like this ensures that netcat runs forever and doesn't stop when a client disconnects - which happens if you, e.g., run it using a pipe like this:

tcpdump -s 0 -w - -n -i any host <hostname> | nc -l IP PORT

On the Machine having Wireshark GUI

Here we have to tell Wireshark to use a TCP socket as its interface.

The key point to note is that Wireshark will act as a TCP client and will want to connect to a server. This is the reason why we had to start netcat on the remote machine in the listener (server) and not in the client mode.

Also, with this arrangement, there is no need of creating any local pipes etc. (as is suggested at few places).

This is as simple and elegant as it could be, you are welcome!

I couldn't find a way to add TCP details in Wireshark via its GUI, and even if it's possible, most probably it would not persist.

So, we go to the location (in terminal on Linux or MacOS and cmd on Windows) where Wireshark is installed and simply run this command (using the actual IP of the remote machine).

.\wireshark -k -i TCP@<remote_IP>:58796

-i tells Wireshark to use the provided interface.
-k causes it to start capturing immediately after starting.

Once you run the above-mentioned command, Wireshark GUI will pop up, and from that point onward, you may stop and start Wireshark any number of times.

Just remember to not close Wireshark, or the TCP details will be lost. In that case, simply run the Wireshark command again.

Happy sniffing!

Advertisement
Advertisement
Close ad Ad

Advertisement
Close ad Ad

Return to Coding and Development - Reference and Tools

Tell us what you think (select text for formatting, or click )

Copyright © randompearls.com 2020

Privacy Policy