2

I'm looking to capture packets from a remote server network interface. The remote server is running CentOS and has tshark installed. I'm working on a Windows 8 machine with Wireshark installed.

I've found this brief tutorial, but it's more for the home user. I've no UI on my server so I need to do all setup in the terminal over ssh. I also found this question, but id doesn't seem complete or correct.

I'm looking to capture all incoming data on a particular port, but I can figure that bit out easily enough. It's getting the capture itself working that's the main issue.

Also, does capturing remotely mean that the data won't be saved on the remote server itself? Or will it be saved on both my laptop and the server?

Improve this question

1 Answer 1

Reset to default
1

you can capture several packet on remote server by tcpdump, saving it to local disk. then download saved dump to your computer through ssh/sftp/scp and then open downloaded file in wireshark.

first, you should install tcpdump: yum install -y tcpdump. after sucessfully install, you can start capture: tcpdump -с 10 -s 0 -w filename.dump -nnni any port 18123. this command will capture ten packets from or to port 18123 and save this packets to file filename.dump.

also, you can remove key -c 10 from tcpdump command line. in this case tcpdump will capture all data on port 18123, until ctrl-c pressed.

Improve this answer
4
  • I've already come to the same conclusion myself, and installed tcpdump. To get tcpdump to only save incoming packets do I change any to inbound in your example?
    – mal
    Commented Apr 21, 2016 at 11:46
  • what does -nnni do? I can't see any reference to it in the tcpdump man pages
    – mal
    Commented Apr 21, 2016 at 11:48
  • any - is parameter for command line switch -i. it accepts network interface name or any. if your server does not have interface inbound, you will get error. inbound packets could be filtered by replacing the filter part: port 18123. more details you can find in man pcap-filter.
    – Dmitry Sukhodoyev
    Commented Apr 21, 2016 at 12:04
  • 1
    "what does -nnni do?" The same thing that -ni does, because multiple n flags don't do anything different from one n flag. And what -ni does is the same thing that -n -i does, i.e. it turns off name resolution (which actually doesn't make a difference with -w, it only matters when dissecting packets, not when saving raw packets to a savefile) and uses the command line token after the flag as the name of the interface - "any" in this case.
    – user164970
    Commented Apr 21, 2016 at 21:09

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .