KleinDocs/topics/KleinOps/network/Remote-Wireshark-on-Linux.md

<primary-label ref="document"></primary-label>

# Remote Wireshark

This page contains the procedure to set up Remote packet sniffing on Linux with Wireshark.
## ___________________
_*Linux target*_ (NOT possible on OPNsense/Freebsd)  
Add a capture group and add yourself to it.
```
$ sudo groupadd pcap
$ sudo usermod -a -G pcap $USER
```
Next, add the pcap group and set permissions to tcpdump
```
$ sudo chgrp pcap /usr/sbin/tcpdump
$ sudo chmod 750 /usr/sbin/tcpdump
```
*OR* (depending on the distro)
```
$ sudo chgrp pcap /usr/bin/tcpdump
$ sudo chmod 750 /usr/bin/tcpdump
``` 
Finally, use setcap to give tcpdump the necessary permissions:
```
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
```
*OR*  (depending on the distro)
```
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/tcpdump
```
_*Windows system running Wireshark*_

(re-)Install the latest Wireshark and make sure you tick _*sshdump*_ option during the installation process.  

Click the _*SSH remote capture*_ icon and fill out the following fields:  

Server tab
```
Remote SSH server address: <remote system's IP address>
Remote SSH server port: <SSH port> (most likely: 22)
```
Authentication tab
```
Remote SSH server username: <username for capture process>
Remote SSH server password: <password for username>
```
Capture tab
```
Remote capture command selection: tcpdump
Gain capture privilege on the remote machine: sudo
Privileged user name for sudo or doas: <username for capture process> (as above)
```

Check the "Save parameter(s) on capture start" tick box.

Exit and start the sniffer by clicking the _*SSH remote capture*_ caputure device.

<a  href="FrontPage.md" >Back to frontpage</a>
Big apps section haul-over - revised 2025-11-23 12:38:27 +01:00			`<primary-label ref="document"></primary-label>`
Added SSH and Wireshark topics. Updates shortcuts on Frontpage 2024-10-28 17:24:23 +01:00
			`# Remote Wireshark`

			`This page contains the procedure to set up Remote packet sniffing on Linux with Wireshark.`
			`## ___________________`
			`_Linux target_ (NOT possible on OPNsense/Freebsd)`
			`Add a capture group and add yourself to it.`
			```
			`$ sudo groupadd pcap`
			`$ sudo usermod -a -G pcap $USER`
			```
			`Next, add the pcap group and set permissions to tcpdump`
			```
			`$ sudo chgrp pcap /usr/sbin/tcpdump`
			`$ sudo chmod 750 /usr/sbin/tcpdump`
			```
			`OR (depending on the distro)`
			```
			`$ sudo chgrp pcap /usr/bin/tcpdump`
			`$ sudo chmod 750 /usr/bin/tcpdump`
			```
			`Finally, use setcap to give tcpdump the necessary permissions:`
			```
			`$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump`
			```
Many doc updates VIII 2025-03-05 15:13:22 +01:00			`OR (depending on the distro)`
			```
			`$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/tcpdump`
			```
Added SSH and Wireshark topics. Updates shortcuts on Frontpage 2024-10-28 17:24:23 +01:00			`_Windows system running Wireshark_`

			`(re-)Install the latest Wireshark and make sure you tick _sshdump_ option during the installation process.`

			`Click the _SSH remote capture_ icon and fill out the following fields:`

			`Server tab`
			```
			`Remote SSH server address: <remote system's IP address>`
			`Remote SSH server port: <SSH port> (most likely: 22)`
			```
			`Authentication tab`
			```
			`Remote SSH server username: <username for capture process>`
			`Remote SSH server password: <password for username>`
			```
			`Capture tab`
			```
			`Remote capture command selection: tcpdump`
			`Gain capture privilege on the remote machine: sudo`
			`Privileged user name for sudo or doas: <username for capture process> (as above)`
			```

			`Check the "Save parameter(s) on capture start" tick box.`

Many doc updates III 2025-03-02 14:03:17 +01:00			`Exit and start the sniffer by clicking the _SSH remote capture_ caputure device.`

Big apps section haul-over - revised 2025-11-23 12:38:27 +01:00			`<a href="FrontPage.md" >Back to frontpage</a>`