KleinDocs/topics/KleinOps/network/Remote-Wireshark-on-Linux.md

Remote Wireshark

This page contains the procedure to set up Remote packet sniffing on Linux with Wireshark.

___________________

Linux target (NOT possible on OPNsense/Freebsd)
Add a capture group and add yourself to it.

$ sudo groupadd pcap
$ sudo usermod -a -G pcap $USER

Next, add the pcap group and set permissions to tcpdump

$ sudo chgrp pcap /usr/sbin/tcpdump
$ sudo chmod 750 /usr/sbin/tcpdump

OR (depending on the distro)

$ sudo chgrp pcap /usr/bin/tcpdump
$ sudo chmod 750 /usr/bin/tcpdump

Finally, use setcap to give tcpdump the necessary permissions:

$ sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump

Windows system running Wireshark

(re-)Install the latest Wireshark and make sure you tick sshdump option during the installation process.

Click the SSH remote capture icon and fill out the following fields:

Server tab

Remote SSH server address: <remote system's IP address>
Remote SSH server port: <SSH port> (most likely: 22)

Authentication tab

Remote SSH server username: <username for capture process>
Remote SSH server password: <password for username>

Capture tab

Remote capture command selection: tcpdump
Gain capture privilege on the remote machine: sudo
Privileged user name for sudo or doas: <username for capture process> (as above)

Check the "Save parameter(s) on capture start" tick box.

Exit and start the sniffer by clicking the SSH remote capture caputure device.