07 March 2014

Wireshark over SSH ... over SSH

Running Wireshark on a remote machine using SSH is not a very complex task, and there are many solutions for this on the web. However, the task becomes slightly more complex when you have to access a remote machine through another remote machine (e.g. you SSH to machine A and from there SSH to machine B).
This is the solution I found, using FIFO pipes.
On the remote machine where you have to listen, you create a FIFO pipe. You do the same thing on the intermediary machine.
mkfifo /tmp/wirefifo
After that, you read the pipe from the intermediary machine on the local host and pipe it to wireshark.
ssh user@hostA "cat /tmp/wirefifo"  | wireshark -k -i -
On the intermediary machine, you pipe the output of the machine you are listening for packets on to the local pipe.
ssh user@hostB "cat /tmp/wirefifo" > /tmp/wirefifo
The last step is to start tcpdump on the remote host and pipe the result to the FIFO pipe.
tcpdump -s 0 -U -n -w - -i any not port 22 > /tmp/wirefifo
Wireshark should now be showing the packets captured by tcpdump.