58 lines
1.7 KiB
Markdown
58 lines
1.7 KiB
Markdown
<primary-label ref="document"></primary-label>
|
|
|
|
# Remote Wireshark
|
|
|
|
This page contains the procedure to set up Remote packet sniffing on Linux with Wireshark.
|
|
## ___________________
|
|
_*Linux target*_ (NOT possible on OPNsense/Freebsd)
|
|
Add a capture group and add yourself to it.
|
|
```
|
|
$ sudo groupadd pcap
|
|
$ sudo usermod -a -G pcap $USER
|
|
```
|
|
Next, add the pcap group and set permissions to tcpdump
|
|
```
|
|
$ sudo chgrp pcap /usr/sbin/tcpdump
|
|
$ sudo chmod 750 /usr/sbin/tcpdump
|
|
```
|
|
*OR* (depending on the distro)
|
|
```
|
|
$ sudo chgrp pcap /usr/bin/tcpdump
|
|
$ sudo chmod 750 /usr/bin/tcpdump
|
|
```
|
|
Finally, use setcap to give tcpdump the necessary permissions:
|
|
```
|
|
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
|
|
```
|
|
*OR* (depending on the distro)
|
|
```
|
|
$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/tcpdump
|
|
```
|
|
_*Windows system running Wireshark*_
|
|
|
|
(re-)Install the latest Wireshark and make sure you tick _*sshdump*_ option during the installation process.
|
|
|
|
Click the _*SSH remote capture*_ icon and fill out the following fields:
|
|
|
|
Server tab
|
|
```
|
|
Remote SSH server address: <remote system's IP address>
|
|
Remote SSH server port: <SSH port> (most likely: 22)
|
|
```
|
|
Authentication tab
|
|
```
|
|
Remote SSH server username: <username for capture process>
|
|
Remote SSH server password: <password for username>
|
|
```
|
|
Capture tab
|
|
```
|
|
Remote capture command selection: tcpdump
|
|
Gain capture privilege on the remote machine: sudo
|
|
Privileged user name for sudo or doas: <username for capture process> (as above)
|
|
```
|
|
|
|
Check the "Save parameter(s) on capture start" tick box.
|
|
|
|
Exit and start the sniffer by clicking the _*SSH remote capture*_ caputure device.
|
|
|
|
<a href="FrontPage.md" >Back to frontpage</a> |