4

In my day-to-day operations, I frequently need to execute tcpdump's on remote servers, and it's a pain to save the output to a file and then have to move the file to my laptop to analyze it on wireshark.

I was exploring the command below, and it works fine in linux

ssh <remote_host> sudo tcpdump -vv -i eth0 -U -w - | wireshark -k -i -

But, unfortunately, my work laptop that is provided by my company has windows on it, and they don't allow me to change to another OS. Given this restriction, I was trying to achieve the same result, but in windows...

If i execute the following command in windows in a powershell

ssh <remote_host> sudo tcpdump -vv -i eth0 -U -w - | 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -

I get this error

    At line:1 char:87
+ ...  -i eth0 -U -w - | 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -
+                                                                   ~~
Unexpected token '-k' in expression or statement.
At line:1 char:44
+ ...  -i eth0 -U -w - | 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -
+                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Expressions are only allowed as the first element of a pipeline.
At line:1 char:90
+ ...  -i eth0 -U -w - | 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -
+                                                                      ~~
Unexpected token '-i' in expression or statement.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken

If I execute the wireshark command without the ssh part I get the same error, but if I execute it like this

& 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -

It opens wireshark and waits for data input. With this in mind I tried to change the command to

ssh <remote_host> sudo tcpdump -vv -i eth0 -U -w - | & 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -

This way the ssh command gets executed and the tcpdump starts in the remote host, the wireshark never starts. What am I doing wrong? Why is the piped command that is most similar to the one in linux doesnt work in windows, is piping different?

BANJOSA
  • 398

2 Answers2

2

As mentioned by @Jasen in the comments, I attempted the command without using PowerShell but instead using Git Bash on Windows 10.

#!/bin/bash
server=<remote-host>
iface="ens6"
ssh $server "tcpdump -s 0 -U -n -w - -i $iface not port 22" | wireshark -k -i -

This script assumes you have GitBash and wireshark installed on your Windows machine, as well as the server and host communicating via public key authentication. Make sure you have root privileges when using tcpdump. Port 22 is explicitly ignored so ssh traffic is not visible during the packet sniffing session.

kyrlon
  • 137
2

Piggy backing on @krylon's answer, I was able to use git-bash to run this with the following one-line command:

(Based off the answers here: How can I sniff the traffic of remote machine with wireshark?)

ssh user@host sudo tcpdump -U -s0 'not port 22' -i enp118s0 -w - | wireshark -k -i -

(Note I added tcpdump to the sudoers file as passwordless for myself to make this simpler)

In order to be able to use this from PowerShell, you can launch git-bash from the PS prompt with the following:

For an interactive shell:

& "C:\Program Files\Git\bin\bash.exe" -i -l

To run a command:

& "C:\Program Files\Git\bin\bash.exe" -c "command"

I combined these in my powershell profile (C:\Users\username\Documents\WindowsPowerShell\profile.ps1) to create a shortcut:

function capture-remote {
    & "C:\Program Files\Git\bin\bash.exe" -c "ssh user@host sudo tcpdump -U -s0 'not port 22' -i enp118s0 -w - | wireshark -k -i -"
}

Now, restart your powershell window and you can now launch wireshark with remote packet capture via the capture-remote command.

You can further enhance this a bit by adding parameters to the function above for things like the user, host, etc.

function capture-remote ($user = default-user, $host = default-host) {
    & "C:\Program Files\Git\bin\bash.exe" -c "ssh $user@$host sudo tcpdump -U -s0 'not port 22' -i enp118s0 -w - | wireshark -k -i -"
}

Then from the PS prompt call capture-remote user host.

bjg222
  • 121