Analyse Traffic Remotely over SSH with your Local WireShark Application

Tcpdump (remote) and WireShark (local) can be combined to analyse your router’s traffic

While I was debugging my DDWRT router, I wanted to analyse some traffic between my DDWRT router and my iPhone. Usually I perform a MITM attack for thus purpose, but I recently found that tcpdump could be installed on DDWRT. WireShark can thus be used to analyse the traffic dumped locally by the remote tcpdump tool.

Some other examples can be found on the following page: analyze traffic remotely over ssh w/ Wireshark. Unfortunately, at the time I'm writting this article, FIFO files combined with pipes are not supported by Wireshark under MacOS. To bypass this limitation, all traffic must be stored in a file using the following command line:

ssh root@ROUTERIP tcpdump -i wl0.1 -U -s0 -w - 'not port 22' > /tmp/wiresharkanalyse_01 &

The traffic dumped by tcpdump is written locally in the file /tmp/wiresharkanalyse01. WireShark can be used to open this file. The only disadvantage is that you must perform a reload of the file to refresh the newly dumped traffic (there is a button in WireShark to do this).

If you really want the FIFO functionality, you should use another OS or another Wireshark version to be able to use pipes/FIFO files tricks. Or, you can also install a decent version of WireShark using MacPorts if you are running MacOS X.

Happy debug!

Related terms: