Wireshark Capture on Remote Server
To get an insight into the traffic going around the place, I’ve been using Wireshark and it’s ability to capture remotely, it’s really simple so I thought I’d write down my “recipe” on how to do this in case it’s useful.
You will need:
- Wireshark installed on both host and guest (this is an easy way to get dumpcap installed on the guest even if it’s headless)
- A working SSH connection to the guest. For vagrant setups, you can usually just type
vagrant ssh
.
What we’re actually going to do is SSH into the guest, run dumpcap, and ask it to write its output to stdout. Then we’ll direct the output of that command directly into wireshark, which can read from an interface even if it isn’t literally a network card. Ready?
My command looks like this:
wireshark -k -i <(vagrant ssh -c "sudo dumpcap -P -i any -w - -f 'not tcp port 22'" -- -ntt)
I'll try to walk through the various components in turn in case you need to change any of these pieces to work with your system.
The wireshark
bit runs Wireshark on your host platform. The -k
starts a capture immediately and the -i
specifies the interface ... and we just direct data at where it thinks the interface is.
The <
does the directing of one data into another command and the brackets ()
enclose the command.
vagrant ssh
just SSHes into your vagrant box, you could substitute another SSH command here. Since it's vagrant's SSH, we need the -c
switch to tell it the next thing is a command, and quote that.
Finally we have the dumpcap
command, which runs on the guest and captures network traffic, allowing you to inspect what the website said to the API and so on. Things you are likely to want to change here are the -i
value (specifies the interface but I'm using Wireshark's special "any" because I don't care which network interface such as eth0 or wlan0 or lo the traffic is going over) and possibly the filter specified by -f
(but only add to this one, you don't want to capture the traffic of the traffic you're capturing because then the universe may cancel itself out or something.
Note: I needed the -ntt
on the end when I upgraded to Vagrant 4.3, but I'm not really sure why!
Hopefully this might be useful to someone, if you're doing something similar or you adapt these instructions, would you please share your tips in the comments? I find I'm using these techniques more and more, but I'm not reading much about them (yet).
This also works on OS X, but there’s a couple of wrinkles to be aware of:
1. The command line will not work unless you have started the X11 application first.
2. control+click doesn’t bring up the context menu – use a mouse with two buttons or two fingers on the trackpad!
This trick is awesome. Worked like a charm for me on OSX host + Ubuntu Vagrant box. Thanks a lot.