wireshark using remote interface
I want to monitor traffic on an interface on a remote machine and can't see the best way to do that. I have wireshark on my opensuse box and want to monitor traffic on the wlan0 wireless interface on a headless pi. I started by putting wireshark on the pi and remoting its interface via ssh-X to the opensuse box, but that gives me strange options in the capture window (ciscodump et al). Whenever I google I get confused about which end is 'remote' and which end is 'local'. I also tried installing tcpdump on the pi and got that to display in the opensuse xterm I'm running ssh to the pi in. But I don't understand how to connect that to wireshark. So what's best? Should I be running wireshark on the pi but displayed on the opensuse box, and if so how do I get it to show me the pi's interfaces? Or should I be running wireshark on the opensuse box and if so how do I get it to show me the pi's interfaces?
On Mon, 27 Sep 2021 12:36:43 -0400 James Knott <james.knott@jknott.net> wrote:
On 2021-09-27 11:15 a.m., Dave Howorth wrote:
I started by putting wireshark on the pi and remoting its interface via ssh-X to the opensuse box
That's what I used to do when I was running a Linux firewall. I just tried it with my ThinkPad and it worked there too.
Thanks. When I do it, I get an initial Welcome to Wireshark capture screen but instead of the list of interfaces I see Cisco remote capture: ciscodump Random packet generator: randpkt SSH remote capture: sshdump UDP Listener remote capture: udpdump each has what looks like a small gear wheel inside a circle before it. That's where I get confused about what it means by 'remote'. Remote from the pi or remote from the opensuse box? But how do get it to capture wlan0 traffic?
On 2021-09-27 1:24 p.m., Dave Howorth wrote:
On Mon, 27 Sep 2021 12:36:43 -0400 James Knott <james.knott@jknott.net> wrote:
I started by putting wireshark on the pi and remoting its interface via ssh-X to the opensuse box That's what I used to do when I was running a Linux firewall. I just
On 2021-09-27 11:15 a.m., Dave Howorth wrote: tried it with my ThinkPad and it worked there too. Thanks. When I do it, I get an initial Welcome to Wireshark capture screen but instead of the list of interfaces I see
Cisco remote capture: ciscodump Random packet generator: randpkt SSH remote capture: sshdump UDP Listener remote capture: udpdump
each has what looks like a small gear wheel inside a circle before it.
That's where I get confused about what it means by 'remote'. Remote from the pi or remote from the opensuse box?
But how do get it to capture wlan0 traffic?
Try using su - to root.
Dave Howorth wrote:
I also tried installing tcpdump on the pi and got that to display in the opensuse xterm I'm running ssh to the pi in. But I don't understand how to connect that to wireshark.
You run tcpdump on the pi with the -s0 and the -w<file> options to capture packets according to your spec. Copy the packet capture to whereever for analysis with wireshark. -- Per Jessen, Zürich (20.0°C)
On 27.09.2021 20:33, Per Jessen wrote:
Dave Howorth wrote:
I also tried installing tcpdump on the pi and got that to display in the opensuse xterm I'm running ssh to the pi in. But I don't understand how to connect that to wireshark.
You run tcpdump on the pi with the -s0 and the -w<file> options to capture packets according to your spec. Copy the packet capture to whereever for analysis with wireshark.
To see packets live ssh somehost tcpdump -U -w - | tshark -i -
On Mon, 27 Sep 2021 19:33:31 +0200 Per Jessen <per@computer.org> wrote:
Dave Howorth wrote:
I also tried installing tcpdump on the pi and got that to display in the opensuse xterm I'm running ssh to the pi in. But I don't understand how to connect that to wireshark.
You run tcpdump on the pi with the -s0 and the -w<file> options to capture packets according to your spec. Copy the packet capture to whereever for analysis with wireshark.
Thanks Per. That works. I suspect I have a more fundamental problem now. I don't see any traffic from the device I'm trying to inspect. I suspect that is because it is connected via a mesh repeater and there's nothing else on that repeater's wifi network. They're all on the main router's mesh master wifi. So whilst everything can talk to one another happily via the router, I suspect tcpdump can't see the packets?
Dave Howorth wrote:
On Mon, 27 Sep 2021 19:33:31 +0200 Per Jessen <per@computer.org> wrote:
Dave Howorth wrote:
I also tried installing tcpdump on the pi and got that to display in the opensuse xterm I'm running ssh to the pi in. But I don't understand how to connect that to wireshark.
You run tcpdump on the pi with the -s0 and the -w<file> options to capture packets according to your spec. Copy the packet capture to whereever for analysis with wireshark.
Thanks Per. That works.
Good stuff. I'm going to look at what Andrei suggested with the tshark, that looked interesting.
I suspect I have a more fundamental problem now. I don't see any traffic from the device I'm trying to inspect. I suspect that is because it is connected via a mesh repeater and there's nothing else on that repeater's wifi network. They're all on the main router's mesh master wifi. So whilst everything can talk to one another happily via the router, I suspect tcpdump can't see the packets?
You have two wifi access points, one has only your Raspi, the other has all the other wireless devices? -- Per Jessen, Zürich (18.0°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland.
On Tue, 28 Sep 2021 13:42:14 +0200 Per Jessen <per@computer.org> wrote:
Dave Howorth wrote:
I suspect I have a more fundamental problem now. I don't see any traffic from the device I'm trying to inspect. I suspect that is because it is connected via a mesh repeater and there's nothing else on that repeater's wifi network. They're all on the main router's mesh master wifi. So whilst everything can talk to one another happily via the router, I suspect tcpdump can't see the packets?
You have two wifi access points, one has only your Raspi, the other has all the other wireless devices?
I have a Fritz!Box router that has all my wireless devices connected to it including the pi, but NOT the device I'm trying to monitor. That has connected itself via a Fritz!Repeater that's meshed to the router. But the device can talk to an app on a phone on the router's network. They all have addresses in 192.168.179.*
Dave Howorth wrote:
On Tue, 28 Sep 2021 13:42:14 +0200 Per Jessen <per@computer.org> wrote:
Dave Howorth wrote:
I suspect I have a more fundamental problem now. I don't see any traffic from the device I'm trying to inspect. I suspect that is because it is connected via a mesh repeater and there's nothing else on that repeater's wifi network. They're all on the main router's mesh master wifi. So whilst everything can talk to one another happily via the router, I suspect tcpdump can't see the packets?
You have two wifi access points, one has only your Raspi, the other has all the other wireless devices?
I have a Fritz!Box router that has all my wireless devices connected to it including the pi, but NOT the device I'm trying to monitor. That has connected itself via a Fritz!Repeater that's meshed to the router. But the device can talk to an app on a phone on the router's network. They all have addresses in 192.168.179.*
If you are connected to the Raspi via the wlan interface, a tcpdump on wlan0 will show the port 22 traffic at the very least. You're running something like this: ? tcpdump -s0 -w/tmp/something.pcap -i wlan0 -- Per Jessen, Zürich (16.7°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland.
On Tue, 28 Sep 2021 18:19:10 +0200 Per Jessen <per@computer.org> wrote:
Dave Howorth wrote:
On Tue, 28 Sep 2021 13:42:14 +0200 Per Jessen <per@computer.org> wrote:
Dave Howorth wrote:
I suspect I have a more fundamental problem now. I don't see any traffic from the device I'm trying to inspect. I suspect that is because it is connected via a mesh repeater and there's nothing else on that repeater's wifi network. They're all on the main router's mesh master wifi. So whilst everything can talk to one another happily via the router, I suspect tcpdump can't see the packets?
You have two wifi access points, one has only your Raspi, the other has all the other wireless devices?
I have a Fritz!Box router that has all my wireless devices connected to it including the pi, but NOT the device I'm trying to monitor. That has connected itself via a Fritz!Repeater that's meshed to the router. But the device can talk to an app on a phone on the router's network. They all have addresses in 192.168.179.*
If you are connected to the Raspi via the wlan interface, a tcpdump on wlan0 will show the port 22 traffic at the very least.
I'm connected to the pi by its Ethernet connection (192.168.1.24) and its acting as a bridge to the wireless network (192.168.179.*). I can see lots of traffic on the wireless network, just not the device connected via the repeater.
You're running something like this: ?
tcpdump -s0 -w/tmp/something.pcap -i wlan0
Yes exactly that apart from the filename :)
Dave Howorth wrote:
I'm connected to the pi by its Ethernet connection (192.168.1.24) and its acting as a bridge to the wireless network (192.168.179.*). I can see lots of traffic on the wireless network, just not the device connected via the repeater.
You're running something like this: ?
tcpdump -s0 -w/tmp/something.pcap -i wlan0
Yes exactly that apart from the filename :)
Hehe, that's a good filename though :-) Well, if you're not seeing anything on wlan0, let us make sure there is something. Run a "ping <pi-wifi-addr>" from elsewhere and then try your tcpdump again. I presume the wlan interface does have an address? -- Per Jessen, Zürich (16.3°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland.
participants (4)
-
Andrei Borzenkov -
Dave Howorth -
James Knott -
Per Jessen