Howto – Capture with tcpdump for analysis with Wireshark on Linux

Sniffing on the linux machine

Capturing a sniffer dump on a linux machine is easy, we can install the tcpdump package to capture network packets and write these to a file for further analysis with wireshark.

  • apt-get install tcpdump
  • tcpdump -i <interface> -s 65535 -w <some-file>

You can transfer the file thereafter with WinSCP to your Windows station for analysis.

Sniffing on the linux machine with redirection to your Windows wireshark

If you have putty and plink installed, you can also capture directly on a remote linux machine and redirect this to your windows station’s wireshark for realtime analysis.

If you are using password authentication on the linux machine:

  • “C:\Program Files (x86)\PuTTY\plink.exe” -ssh -pw password root@somemachine.localdomain tcpdump -n -nn -s 0 -U -w – -i bfe0 vlan 99 and icmp | “C:\Program Files\Wireshark\wireshark.exe” -i – -k

Or if you’re using key based authentication:

  • “C:\Program Files (x86)\PuTTY\plink.exe” -ssh -i “C:\mykeystore\somekey.ppk” root@somemachine.localdomain tcpdump -n -nn -s 0 -U -w – -i bfe0 vlan 99 and icmp | “C:\Program Files\Wireshark\wireshark.exe” -i – -k

Published by

Ronny Van den Broeck

I'm a network and system engineer for more than 20 years now. During this period I became a pro in hunting down one's and zero's, with an eager mindset to help people accomplish the same or abstract them away from the matrix.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s