+------------------+ +----------------------+ | Local host | tcpdump over ssh | Remote Host | | |--------------------| |\ eth0 | +--------------+ |--------------------| |/ | | Wireshark | | | tcpdump -i eth0... | | |--------------| | +----------------------+ | | | | | | | | | +--------------+ | | | +------------------+
- Allow to run tcpdump without entering password, by
sudo visudo
:
username ALL = (ALL) NOPASSWD: /usr/sbin/tcpdump
- Generate a new keypair you run the following command:
ssh-keygen -t rsa
- Copyping the public RSA to the remote host to login without entering password:
ssh-copy-id -i ~/.ssh/id_rsa.pub user_name@remote_host_ip
- Run tcpdump over ssh on your remote machine and redirect the packets to the named pipe:
wireshark -k -i <( ssh user_name@remote_host_ip sudo tcpdump -s 0 -U -n -w - -i eth0 port 53 )
- Test by performing
ping google.com
on the remote machine, you will see the DNS packets in remote machine's Wireshark.
- https://serverfault.com/questions/362529/how-can-i-sniff-the-traffic-of-remote-machine-with-wireshark
- https://wiki.wireshark.org/CaptureSetup/Pipes
- https://www.howtoforge.com/wireshark-remote-capturing
- https://unix.stackexchange.com/questions/395776/how-to-remote-execute-ssh-command-a-sudo-command-without-password