Monitor Wireshark Capture (Real-Time) on Remote Host via SSH 2

Have you thought..”man, it would be nice if I could watch a real-time packet capture on a remote linux host, and oh by the way, I don’t want to stare at some black and white tcpdump or tshark screen either”. As long as both your source and remote hosts are running X11 gui and the remote host has wireshark installed, then go to the terminal and type the following:

Per the ssh man pages, the -Y option “Enables trusted X11 forwarding.” The untrusted option would be -X. Once you type in the passwords for sudo, wireshark will launch. To verify that you are indeed on the remote machine running Wireshark, in Wireshark go to –Capture, –Interfaces, and then you should see the interfaces of your remote box.

I know…I know…you are thinking…”but I don’t have a gui on my remote box, and I don’t really enjoy looking at the console of tshark or tcpdump…and I’m too lazy to write it to a file and then import it into Wireshark”. Well, here is where it gets cool. To accomplish this, we are going to be taking advantage of a FIFO special file. Here is some info from the mkfifo man page.

A FIFO special file is similar to a pipe, except that it is created in a different way. Instead of being an anonymous communications channel, a FIFO special file is entered into the file system by calling mkfifo().

Once you have created a FIFO special file in this way, any process can open it for reading or writing, in the same way as an ordinary file. However, it has to be open at both ends simultaneously before you can proceed to do any input or output operations on it. Opening a FIFO for reading normally blocks until some other process opens the same FIFO for writing, and vice versa.

First lets create the FIFO file that we will be using to write the capture information to (from the remote host), and reading the capture information from (source host). To do this, type the following in the terminal:

Because this is not a real file and can be created easily, I’m just going to create it in the /tmp directory. Also, you can name the file whatever you like. I just chose fifo to be simple. Now that you have the FIFO special file created, we need to SSH into the remote box and start a capture. This can be done with tcpdump or tshark installed on the remote host. For now, I will use tshark. To keep from being prompted for a password when we ssh into the remote server, we will need to add our source host ssh security key to the remote host. To do this, we will first generate our ssh-key on the source host by typing the following:

Here is what it should look like (notice I left the passphrases blank):

Now we will copy that key to the root user of the remote host by running this command:

You will be prompted to login to the remote host, once you do, you should see this message.

Now try logging into the machine, with “ssh ‘root@remotehost’”, and check in:

.ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

Type Exit and then you should be able to login to the remote host without being prompted for a password.

If you have all of this working, then we are ready for the cool stuff. If you haven’t already, exit back out of the remote SSH session and type the following:

This will start tshark on the remote host, listen on interface eth1 (-i eth1), filter out all SSH trafic (-f ‘not tcp port 22′) , and write it out to the special FIFO file (-w -” > /tmp/fifo). The & at the end just tells it to run in the background. If all is good, then just run one last command to watch the remote capture locally on your source host.

If you know of a better way to do this, noticed something incorrect or have a comment, use the section below to let me know.