klein-projects/KleinDocs
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
KleinDocs/topics/KleinOps/network/Remote-Wireshark-on-Linux.md
Rudi 3782e64425
Some checks failed
build and deploy docs / build (push) Failing after 11s
Details
build and deploy docs / publish (push) Has been skipped
Details
Big apps section haul-over - revised
2025-11-23 12:38:27 +01:00

1.7 KiB
Raw Blame History

Remote Wireshark

This page contains the procedure to set up Remote packet sniffing on Linux with Wireshark.

___________________

Linux target (NOT possible on OPNsense/Freebsd)
Add a capture group and add yourself to it.

$ sudo groupadd pcap
$ sudo usermod -a -G pcap $USER

Next, add the pcap group and set permissions to tcpdump

$ sudo chgrp pcap /usr/sbin/tcpdump
$ sudo chmod 750 /usr/sbin/tcpdump

OR (depending on the distro)

$ sudo chgrp pcap /usr/bin/tcpdump
$ sudo chmod 750 /usr/bin/tcpdump

Finally, use setcap to give tcpdump the necessary permissions:

$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

OR (depending on the distro)

$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/tcpdump

Windows system running Wireshark

(re-)Install the latest Wireshark and make sure you tick sshdump option during the installation process.

Click the SSH remote capture icon and fill out the following fields:

Server tab

Remote SSH server address: <remote system's IP address>
Remote SSH server port: <SSH port> (most likely: 22)

Authentication tab

Remote SSH server username: <username for capture process>
Remote SSH server password: <password for username>

Capture tab

Remote capture command selection: tcpdump
Gain capture privilege on the remote machine: sudo
Privileged user name for sudo or doas: <username for capture process> (as above)

Check the "Save parameter(s) on capture start" tick box.

Exit and start the sniffer by clicking the SSH remote capture caputure device.

Back to frontpage