Skip to content

Commit b85e470

Browse files
SciLorSciLor
authored
Merge pull request #73 from rknall/improve-wireshark-ssh-documentation
Improve Wireshark remote capture documentation
2 parents e7a3b1b + d207b8b commit b85e470

File tree

1 file changed

+29
-2
lines changed

1 file changed

+29
-2
lines changed

content/docs/wiki/general/traffic-sniffing.md

Lines changed: 29 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -58,8 +58,9 @@ You can use mitmproxy, mitmweb or mitmdump. I prefered mitmweb
5858
./mitmweb --verbose --web-host 0.0.0. --mode transparent --set client_certs=/root/client.pem --ssl-insecure -s /root/toniebox.cert-validity.py
5959
```
6060

61-
## Using wireshark over ssh
62-
You'll need to install tcpdump on you target system. I also disabled password auth for sudoing tcpdump.
61+
## Using Wireshark over SSH
62+
63+
You'll need to install tcpdump on your target system. I also disabled password auth for sudoing tcpdump.
6364
```
6465
$ nano /etc/sudoers.d/tcpdump
6566
@@ -70,6 +71,32 @@ Attach pcap-group to tcpdump
7071
sudo chgrp pcap /usr/bin/tcpdump
7172
sudo chmod 750 /usr/bin/tcpdump
7273
```
74+
75+
### SSH key authentication
76+
For secure and convenient authentication, create a dedicated SSH key for remote capture:
77+
```
78+
ssh-keygen -t ed25519 -f ~/.ssh/wireshark_capture -C "wireshark remote capture"
79+
ssh-copy-id -i ~/.ssh/wireshark_capture.pub user@hackiebox
80+
```
81+
82+
### Remote capture with sshdump (recommended)
83+
Wireshark includes **sshdump**, an extcap utility that captures packets from remote hosts over SSH directly within Wireshark's interface. This is the recommended cross-platform approach.
84+
85+
Open Wireshark and look for **SSH remote capture** interfaces in the interface list. Double-click to configure:
86+
| Setting | Value |
87+
|---------|-------|
88+
| Remote SSH server address | `hackiebox` |
89+
| Remote SSH server port | `22` |
90+
| Remote interface | `ens19` |
91+
| Remote capture command | `tcpdump` |
92+
| Use sudo on the remote machine | enable |
93+
| Remote capture filter | `not port 22` |
94+
| Path to SSH private key | `~/.ssh/wireshark_capture` |
95+
96+
- [Wireshark sshdump manual](https://www.wireshark.org/docs/man-pages/sshdump.html)
97+
- [Video tutorial: Remote Packet Capture with Wireshark](https://www.youtube.com/watch?v=jYuHS-2g0BM)
98+
99+
### Using pipes (alternative)
73100
I suggest you to ssh once into your machine to confirm the signature. Then you can run wireshark over the command and then enter the password to start tcpdump
74101
```
75102
ssh user@hackiebox sudo tcpdump -i ens19 -U -s0 -w - 'not port 22' | wireshark -k -i -

0 commit comments

Comments
 (0)