So I was roughing through some tcpdump output looking at dns requests, when it dawned on me … “Hey, this would be hella easier if I could sort through all this in Wireshark!” But this box I was on had no gui, and I didn’t want to increase attack vectors on the machine by installing a xserver etc. So I figured there had to be a way to do this with ssh forwarding. … So I did some google’ing and learned about file descriptors and how tcpdump can output raw tcp to stdout. Wireshark can read in this as a interface aswell. Since I’m lazy, I wanted to do this from my Windows 7 Dev box, it was a requirement to install cygwin with an xserver on it. I don’t think win32 Wireshark can read in named pipes.
Here it is, … from my xterm bash shell on my windows 7 box with cgywin … ssh -X firstname.lastname@example.org
Then ssh root@boxIwant.ToSniff “tcpdump -i eth0 -w -” | wireshark -k -i –
This pops up wireshark using stdout from the ssh’d tcpdump session. You can do all your various filters in wonderful wireshark bliss.
Happy Sniffing …
ps. Thanks to Napkins for helping me from over analyzing.