So maybe this is useful here.
I was busy sniffing to wireshark using my OpenWRT switch port mirror config, when I found an easier and more flexible way.
Basically use tcpdump into a netcat and pipe it directly into Wireshark on my PC.
So you can view nice Wireshark UI from any OpenWRT device
Just two commands, on OpenWRT and PC respectively: tcpdump -s 0 -U -w - -i eth0 | ncat <host> 36000 ncat -l 36000 | wireshark.exe -k -i -
Requirements:
netcat or ncat on both OpenWRT and PC
tcpdump or tcpdump-mini on OpenWRT
Wireshark on PC
You could just type the commands directly in the command line, but I made two small scripts for myself to make it easy.
Store the shell anywhere (I put it in /etc/config/wireshark.sh so it gets backed up)
Store the command file in the same folder as Wireshark (C:/Program Files/Wireshark/Whiresharkpipe.cmd)
Example call: ./wireshark.sh br-lan not port 22
#!/bin/sh
# $1 Interface to listen (optional, eth0 default)
# $2+ Filter criteria (optional)
# note that port 36000 is automatically filtered
# but likely you want to als filter: not port 22
#
# on the receiving machine, you need to run
# ncat -l 36000 | Wireshark.exe -k -i -
# or use accomponied windows command script
#
# Sources and ideas:
# tcpdump to nc : http://jordanmorris.com/remote-network-capture-with-tcpdump-and-ncat/
# Wireshark pipe : https://ask.wireshark.org/question/20370/wireshark-ssh-capture-plink-tcpdump/
# ncat for windows: https://nmap.org/ncat/
#
# example filters (use and/or to combine)
# port 5060 # only SIP port
# not port 22 # not my ssh terminal
# host 1.1.1.1 # only to/from this host
# net 192.168.1.0/24 # only to/from this network
# proto \icmp # only icmp (some keywords need \escaping)
# ip4 # only ip4 (you also get 6in4 tunnel)
HOST=192.168.19.181
PORT=36000
DFT=eth0
#--------------------
IFC=$1
[ -z "$1" ] && IFC="${DFT}"
shift
SEL="not port ${PORT}"
[ -n "$1" ] && SEL="( $* ) and not port ${PORT}"
CMD1="tcpdump -s 0 -U -w - -i ${IFC} ${SEL}"
CMD2="ncat ${HOST} ${PORT}"
echo ${CMD1} \| ${CMD2}
#tcpdump -s 0 -U -w - -i ${IFC} ${SEL} | ncat ${HOST} ${PORT}
${CMD1} | ${CMD2}
exit $?
@echo off
echo Run this file on Windows from within Wireshark program folder.
echo Matching command on OpenWRT:
echo "tcpdump -s 0 -U -w - -i eth0 | ncat <wireshark host> 36000"
echo Possibly answer to windows firewall question for port 36000.
cd %~d0
cd %~dp0
:loop
pause
echo Running Wireshark . . .
ncat -l 36000 | wireshark.exe -k -i -
echo Press Ctrl-C to end, or any key to rerun.
goto loop
@Fiouz@trendy
Both very good suggestions, and I guess I could have used ssh in stead of netcat, as at the very least it will save me a netcat dependency, as well as avoid some firewall issues on port 36000
However, I suspect sshdump is only when you use Wireshark on Linux/Unix bases. Sorry guys, though I do a lot of Linux for speciality functions, my day to day machine is still windows (and iSeries). Same for the "sudo" suggestion, but yes I could probably pipe some Putty tunnel.
Thanks
Addendum: It seems there is already a manual page that I missed:
sshdump is available on Windows, and it is part of the Wireshark distribution (if you don't have it, maybe you did not select it during installation). Here is what the previous screenshot would trigger behind the scene:
Uninstalled, reinstalled. And indeed, it is there in the default distro, but it is not selected by default.
Selected it this time, and it cannot miss, right there in the interface list: SSH remote capture.
So yes, your remark this me messing with netcat is a less secure and less convenient method to do something that already exists is correct. That's half a day I am not getting back.
(think capturing from a router that is close to being CPU bound....)