Wireshark Capture on Remote Server

The joind.in project uses a really nice vagrant setup for its dev platform – which is much needed these days as we move away from a single LAMP stack install to a website plus another website, which talks to an API and caches in redis and deploys with …. you get the picture :) This is great but having everything on the VM can make it a bit trickier to debug what’s going on – and with a website that talks to an API that talks to MySQL, that all lives on a VM with port forwards, you can see the problem :)

To get an insight into the traffic going around the place, I’ve been using Wireshark and it’s ability to capture remotely, it’s really simple so I thought I’d write down my “recipe” on how to do this in case it’s useful.

You will need:

  • Wireshark installed on both host and guest (this is an easy way to get dumpcap installed on the guest even if it’s headless)
  • A working SSH connection to the guest. For vagrant setups, you can usually just type vagrant ssh.

What we’re actually going to do is SSH into the guest, run dumpcap, and ask it to write its output to stdout. Then we’ll direct the output of that command directly into wireshark, which can read from an interface even if it isn’t literally a network card. Ready?

My command looks like this:

wireshark -k -i <(vagrant ssh -c "sudo dumpcap -P -i any -w - -f 'not tcp port 22'" -- -ntt)

I'll try to walk through the various components in turn in case you need to change any of these pieces to work with your system.

The wireshark bit runs Wireshark on your host platform. The -k starts a capture immediately and the -i specifies the interface ... and we just direct data at where it thinks the interface is.

The < does the directing of one data into another command and the brackets () enclose the command.

vagrant ssh just SSHes into your vagrant box, you could substitute another SSH command here. Since it's vagrant's SSH, we need the -c switch to tell it the next thing is a command, and quote that.

Finally we have the dumpcap command, which runs on the guest and captures network traffic, allowing you to inspect what the website said to the API and so on. Things you are likely to want to change here are the -i value (specifies the interface but I'm using Wireshark's special "any" because I don't care which network interface such as eth0 or wlan0 or lo the traffic is going over) and possibly the filter specified by -f (but only add to this one, you don't want to capture the traffic of the traffic you're capturing because then the universe may cancel itself out or something.

Note: I needed the -ntt on the end when I upgraded to Vagrant 4.3, but I'm not really sure why!

Hopefully this might be useful to someone, if you're doing something similar or you adapt these instructions, would you please share your tips in the comments? I find I'm using these techniques more and more, but I'm not reading much about them (yet).

2 thoughts on “Wireshark Capture on Remote Server

  1. This also works on OS X, but there’s a couple of wrinkles to be aware of:

    1. The command line will not work unless you have started the X11 application first.
    2. control+click doesn’t bring up the context menu – use a mouse with two buttons or two fingers on the trackpad!

  2. This trick is awesome. Worked like a charm for me on OSX host + Ubuntu Vagrant box. Thanks a lot.

Leave a Reply

Please use [code] and [/code] around any source code you wish to share.

This site uses Akismet to reduce spam. Learn how your comment data is processed.