Index:

Network

Performing remote Wireshark and tcpdump over SSH
tcpdump can be configured to write its capture to standard out, and Wireshark can read from standard in. SSH allows you to remote exec a command, and have it stream the output back.

This allows one to perform a remote Wireshark capture quickly and easily – one of the nice uses for this is to perform captures from a Ubiquti router. For exmaple:
```
ssh 192.168.0.1 'sudo tcpdump -f -i eth1 -w - port 53' | /Applications/Local/Wireshark.app/Contents/MacOS/Wireshark  -k -i -
```
This ssh’s to my home router, and starts tcpdump listening on interface eth1. It writes the output to STDOUT (‘-w -‘) and only captures port 53. This then streams to wireshark on my local machine (-k is “start capturing immediately” and -i is interface — in this case, STDIN (-)).
February 28, 2023
Turning a Linux machine into an Ethernet tap.
Sometimes you need to sniff traffic between two devices, but don’t have a handy Ethernet tab / NetOptics box with you.

You can simply confugure a machine with 2 NICs (or USB-> Ethernet dongles) to act as a bridge, and then tcpdump the bridge interface:
```
set up a transparent bridge:
brctl addbr br0;
brctl addif br0 eth1;
brctl addif br0 eth2;
ifconfig br0 up;
tcpdump -n -i br0;
```
February 27, 2023