Tcpdump sniffing piped directly to Wireshark

Edit: while my suggestion below is not invalid, there is in fact a specialy OpenWRT page that I had initially missed:

So maybe this is useful here.
I was busy sniffing to wireshark using my OpenWRT switch port mirror config, when I found an easier and more flexible way.

Basically use tcpdump into a netcat and pipe it directly into Wireshark on my PC.
So you can view nice Wireshark UI from any OpenWRT device

Just two commands, on OpenWRT and PC respectively:
tcpdump -s 0 -U -w - -i eth0 | ncat <host> 36000
ncat -l 36000 | wireshark.exe -k -i -


  • netcat or ncat on both OpenWRT and PC
  • tcpdump or tcpdump-mini on OpenWRT
  • Wireshark on PC

You could just type the commands directly in the command line, but I made two small scripts for myself to make it easy.

Store the shell anywhere (I put it in /etc/config/ so it gets backed up)
Store the command file in the same folder as Wireshark (C:/Program Files/Wireshark/Whiresharkpipe.cmd)

Example call: ./ br-lan not port 22


# $1  Interface to listen (optional, eth0 default)
# $2+ Filter criteria (optional)
# note that port 36000 is automatically filtered
# but likely you want to als filter: not port 22
# on the receiving machine, you need to run
#       ncat -l 36000 | Wireshark.exe -k -i -
# or use accomponied windows command script
# Sources and ideas:
# tcpdump to nc   :
# Wireshark pipe  :
# ncat for windows:
# example filters (use and/or to combine)
# port 5060          # only SIP port
# not port 22        # not my ssh terminal
# host       # only to/from this host
# net # only to/from this network
# proto \icmp        # only icmp (some keywords need \escaping)
# ip4                # only ip4 (you also get 6in4 tunnel)



[ -z "$1" ] && IFC="${DFT}"
SEL="not port ${PORT}"
[ -n "$1" ] && SEL="( $* ) and not port ${PORT}"

CMD1="tcpdump -s 0 -U -w - -i ${IFC} ${SEL}"
CMD2="ncat ${HOST} ${PORT}"

echo ${CMD1} \| ${CMD2}
#tcpdump -s 0 -U -w - -i ${IFC} ${SEL} | ncat ${HOST} ${PORT}
${CMD1} | ${CMD2}

exit $?
@echo off

echo Run this file on Windows from within Wireshark program folder.
echo Matching command on OpenWRT:
echo  "tcpdump -s 0 -U -w - -i eth0  | ncat <wireshark host> 36000"
echo Possibly answer to windows firewall question for port 36000.

cd %~d0
cd %~dp0

echo Running Wireshark . . .
ncat -l 36000 | wireshark.exe -k -i -

echo Press Ctrl-C to end, or any key to rerun.
goto loop

How is this easier than activating port mirroring in swconfig?

Well, that is a little subjective, and there may still be use for that.
But I had that setup first, and please consider the following:

With hardware switch mirror:

  • you cannot check wlan0 interface, only wlan traffic if it happens to be routed to WAN or LAN
    (same for VPN tunnel traffic)
  • ideally you need to dedicate a port, and have an extra cable to your PC
    (or mix your normal PC access with the switch traffic somehow)
  • You can pre-filter what you want to see in Wireshart
    (filter on IP or port etc)
  • You need to modify the configuration of OpenWRT, with risk of making a mistake, or at least need to restart network or switch service

Additional, with this solution:

  • no need for any direct connection to the device
  • no need to mess with PC wired connections, interface settings etc
  • You can even sniff even a OpenWRT on a different location, debugging devices far away, through VPN
1 Like

Isn't it a less secure/convenient version of the sshdump source for Wireshark?

.... why yes. it probably is. Never heard of that one. Thanks for pointing it out.

However, sshdump does not seem available as package on OpenWRT?
Also, about less secure... somewhat. I mean, it is open traffic on the wire already.

Question: If sshdump would be a package, would it still need tcpdump as dependancy, or does it have it's own pcap stuff?

sshdump is a companion to the Wireshark application, so it's only relevant on the machine on where you execute Wireshark.

  1. Start Wireshark interactive UI

  2. Select & configure the "SSH remote capture" interface

  3. Fill address + SSH credentials of the target machine (e.g. OpenWrt router containing the tcpdump tool) + tcpdump filter

In other words, you need the following on the capturing host:

  • tcpdump command
  • SSH server

On the client side, you need:

  • Wireshark with its sshdump companion (not sure if it's installed by default), no need for root/admin access

ssh root@openwrt.lan tcpdump -i eth1 -U -s0 -w - 'not port 22' | sudo wireshark -k -i -


@Fiouz @trendy
Both very good suggestions, and I guess I could have used ssh in stead of netcat, as at the very least it will save me a netcat dependency, as well as avoid some firewall issues on port 36000

However, I suspect sshdump is only when you use Wireshark on Linux/Unix bases. Sorry guys, though I do a lot of Linux for speciality functions, my day to day machine is still windows (and iSeries). Same for the "sudo" suggestion, but yes I could probably pipe some Putty tunnel.


Addendum: It seems there is already a manual page that I missed:

1 Like

sshdump is available on Windows, and it is part of the Wireshark distribution (if you don't have it, maybe you did not select it during installation). Here is what the previous screenshot would trigger behind the scene:



Uninstalled, reinstalled. And indeed, it is there in the default distro, but it is not selected by default.
Selected it this time, and it cannot miss, right there in the interface list: SSH remote capture.

So yes, your remark this me messing with netcat is a less secure and less convenient method to do something that already exists is correct. That's half a day I am not getting back.

Anyway, this works very nicely, thanks.

Well, netcat probably is computationally cheaper, so it has that going for it :wink: (think capturing from a router that is close to being CPU bound....)

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.