TIL that you can analyze live packets from remote network interfaces in Wireshark with the following command:
ssh $SSH_TARGET "tcpdump -w- -i $REMOTE_INTERFACE" | wireshark -k -i-
It’s essentially three commands glued together in a big pipe.
On the left side of the pipe, we have the following to connect to the machine and capture packets in pcap format:
ssh $SSH_TARGET ...
means “SSH into the machine and execute the given argument”tcpdump -w- -i $REMOTE_INTERFACE
, which is executed in on the remote, works like so:-w
selects a file to write to. In this case,-w-
means “write to STDOUT”-i $REMOTE_INTERFACE
specifies the interface to capture on
On the right side of the pipe, there is wireshark -k -i-
.
-k
means “start capturing immediately, don’t bring up the start menu”-i
selects an interface or file to get packets from. In this case,-i-
means “capture packets from STDIN”
Related note: Oftentimes, when a flag that usually expects a file gets a
-
, the program supports reading the data from STDIN, or writing the data to
STDOUT, depending on what the flag actually does. If you want to use the file
specifically named -
, you should provide ./-
in that argument (i.e.
-w ./-
)