Remote Real Time Packet Capture With Wireshark and pfsense

LTS_Tom · January 12, 2020, 4:44pm

Commands from video:
Make sure wireshark allows user to run dumppcap
sudo dpkg-reconfigure wireshark-common (choose yes)
sudo chmod +x /usr/bin/dumpcap

To Run Wireshark as root from a non-root user
sudo su -c 'wireshark -k -i <(ssh root@192.168.1.1 -p 22 tcpdump -i mvneta0 -U -w - )'

Run as user
wireshark -k -i <(ssh root@172.16.69.112 -p 222 tcpdump -i xn2 -U -w - )

Run as user exclude Tom computer ip of 192.168.3.9
wireshark -k -i <(ssh root@172.16.69.112 -p 222 tcpdump -i xn2 host not 192.168.3.9 -U -w - )

kevdog · January 14, 2020, 2:06pm

Excuse my ignorance, but anyway to pull the VLAN tag information using this method?

LTS_Tom · January 14, 2020, 5:26pm

Yes, in the example below, adding the .1337 to the igb0 interface it will only capture VLAN 1337.

wireshark -k -i <(ssh root@192.168.3.1 -p 22 tcpdump -i igb0.1337 host not 192.168.3.9 -U -w - )