If you created a rather large tcpdump and are having issues with Wireshark taking forever.. then split your tcpdump into smaller files.
|
1 2 3 |
tcpdump -r old_file -w new_files -C 10 </code>This will read from large tcpdump files say 1.5GB..and create 150 10MB files called new_files{1..150}. Or do 100 for 100MB which will create ~15 smaller files. |
tcpdump -vvv -i eth0 -s 0 port bootps
In bash, remote capture is possible with the following command:
|
1 |
> wireshark -k -i <(ssh -l root remote-host dumpcap -w - not tcp port 22) |
The main problem is that you have to exclude the traffic generated by the ssh session from capturing. Several patches are available to do this, but excluding port 22 is probably the easiest solution for now.
The second problem is that ssh cannot ask for a password on stdin. You should either set up ssh-agent, or setup passwordless ssh keys , so that you don’t need a password.
This can be worked around by combining SSH with a FIFO, this is typically how I setup my sessions.
|
1 2 3 |
$ mkfifo /tmp/sharksess $ wireshark -k -i /tmp/sharksess & $ ssh user@remote-host "tcpdump -w - not port 22" > /tmp/sharksess |
sudo tcpdump -Atq -s 0 -i eth0
