"Whenever you can, share. You never know who all will be able to see far away standing upon your shoulders!"
I write mainly on topics related to science and technology.
Sometimes, I create tools and animation.
Wireshark is one of the most commonly used tools for network packet capturing and analysis. And most of its beauty lies in its GUI.
On the other hand, it's mostly the headless Linux systems which are used for network management (e.g. routers).
While tools like
tcpflow etc. on Linux systems provide a satisfactory way of analyzing network traffic, it would be really awesome if we can get the packets generated on Linux (or any remote machine) sent over to the system where Wireshark GUI is available (e.g. a Windows machine).
It is possible and actually fairly easy. But surprisingly there isn't a good resource available on Internet that tells how this can be done. Hence this article.
Basically, we'll be using
nc command on Linux to start a TCP server and hook it up to
tcpdump so that the output of tcpdump will be continually sent to the clients connected to the
Further, we'll do this in a way that a disconnection from client will not cause the server to stop thus making it available for future clients. The
netcat server will only be stopped by hitting
And we'll then use Wireshark as one of the TCP clients of this TCP server.
We need to run a
netcat TCP server and connect it to
Depending upon your Linux flavor, the command may differ slightly.
busybox machine that I used, this was the command.
This is what I'm doing in the command above:
netcat listener (server) is started on port 58796.
-l is used for the listener mode, but with
-e option (explained below),
-ll was to be used.
-e option tells netcat to run a command (everything that comes after
-e) on a connection with a client. So, everything starting with
tcpdump is run as such when a connection is made to the
netcat listener, and its output is consumed by the listener.
--exec may be the one to be used.
tcpdump arguments used above are fairly simple and can be looked up easily on internet.
<hostname>. You'll have to change the options and arguments as per your need.
nc like this ensures that
netcat runs forever and doesn't stop when a client disconnects - which happens if you, e.g., run it using a pipe like this:
Here we have to tell Wireshark to use a TCP socket as its interface.
The key point to note is that Wireshark will act as a TCP client and will want to connect to a server. This is the reason why we had to start
netcat on the remote machine in the listener (server) and not in the client mode.
Also, with this arrangement, there is no need of creating any local pipes etc. (as is suggested at few places).
This is as simple and elegant as it could be, you are welcome!
I couldn't find a way to add TCP details in Wireshark via its GUI, and even if it's possible, most probably it would not persist.
So, we go to the location (in terminal on Linux or MacOS and
cmd on Windows) where Wireshark is installed and simply run this command (using the actual IP of the remote machine).
-i tells Wireshark to use the provided interface.
-k causes it to start capturing immediately after starting.
Once you run the above-mentioned command, Wireshark GUI will pop up, and from that point onward, you may stop and start Wireshark any number of times.
Just remember to not close Wireshark, or the TCP details will be lost. In that case, simply run the Wireshark command again.