For diagnostic purposes, it migt be sometimes necessary to perform a remote capture of network traffic on some linux box. It comes in handy that we can do this remotely from a laptop running windows and wireshark, this way we don’t need to, first create a packet capture file and transfer this to our computer. Instead, this procedure connects over ssh to the remote linux, starts tcpdump, redirects the output in realtime over the ssh connection to our windows machine and inputs this into wireshark.
The tools we are using for this on Windows is plink.exe (known from the putty suite of tools), tcpdump and Wireshark.
Before we start monitoring, we will need to give tcpdump permission to capture raw packets:
By logging in with username and password:
- “C:\Program Files (x86)\PuTTY\plink.exe” -ssh -t -pw password user@my.remotelinuxbox.com sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
By logging in with a key:
- “C:\Program Files (x86)\PuTTY\plink.exe” -ssh -t -i “S:\mykey.pub” user@my.remotelinuxbox.com sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
To monitor your remote Linux box, connecting with a username and password:
- “C:\Program Files (x86)\PuTTY\plink.exe” -ssh -pw password user@my.remotelinuxbox.com tcpdump -n -nn -s 0 -U -w – -i eth0 | “C:\Program Files\Wireshark\wireshark.exe” -i – -k
To monitor your remote Linux box, connecting with a key:
- “C:\Program Files (x86)\PuTTY\plink.exe” -ssh -i “S:\mykey.pub” user@my.remotelinuxbox.com tcpdump -n -nn -s 0 -U -w – -i eth0 | “C:\Program Files\Wireshark\wireshark.exe” -i – -k
Random notes of a SysAdmin 