# Remote Wireshark This page contains the procedure to set up Remote packet sniffing on Linux with Wireshark. ## ___________________ _*Linux target*_ (NOT possible on OPNsense/Freebsd) Add a capture group and add yourself to it. ``` $ sudo groupadd pcap $ sudo usermod -a -G pcap $USER ``` Next, add the pcap group and set permissions to tcpdump ``` $ sudo chgrp pcap /usr/sbin/tcpdump $ sudo chmod 750 /usr/sbin/tcpdump ``` *OR* (depending on the distro) ``` $ sudo chgrp pcap /usr/bin/tcpdump $ sudo chmod 750 /usr/bin/tcpdump ``` Finally, use setcap to give tcpdump the necessary permissions: ``` $ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump ``` _*Windows system running Wireshark*_ (re-)Install the latest Wireshark and make sure you tick _*sshdump*_ option during the installation process. Click the _*SSH remote capture*_ icon and fill out the following fields: Server tab ``` Remote SSH server address: Remote SSH server port: (most likely: 22) ``` Authentication tab ``` Remote SSH server username: Remote SSH server password: ``` Capture tab ``` Remote capture command selection: tcpdump Gain capture privilege on the remote machine: sudo Privileged user name for sudo or doas: (as above) ``` Check the "Save parameter(s) on capture start" tick box. Exit and start the sniffer by clicking the _*SSH remote capture*_ caputure device. Shortcut to pages overview