Skip to content

Instantly share code, notes, and snippets.

@ElijahLynn

ElijahLynn/gist:d76d31eca63d984efa424b08dee2905b

Last active October 8, 2024 20:15
Show Gist options
  • Save ElijahLynn/d76d31eca63d984efa424b08dee2905b to your computer and use it in GitHub Desktop.
Save ElijahLynn/d76d31eca63d984efa424b08dee2905b to your computer and use it in GitHub Desktop.
Download ZIP
Remote tcpdump stream to wireshark
Raw
gistfile1.md

Archived from https://twitter.com/ElijahLynn/status/1144399526452588545

Just had to debug yum returning a 503 on a server deep in a private network, but curl worked fine. Was able to use tshark and pipe it to my local wireshark and re-assemble the HTTP request that finally told me it was blocked by the internet gateway and who to email!

Here is the command that piped in realtime the tshark dump to my local wireshark GUI. Don't worry about the CLI filter because we can just use display filters to get what we want. Then find a GET packet, right click and "Follow" > TCP||HTTP Stream

ssh user@host 'sudo /usr/sbin/tshark -i eth0 -f "port !22" -w -' | wireshark -k -i -

Ahh, the only reason this worked was because the URL was http. Need to figure out how to do https now.

@ElijahLynn
Copy link
Author

Might try to convert this to https://termshark.io/ (https://github.com/gcla/termshark).

@ElijahLynn
Copy link
Author

ElijahLynn commented Dec 6, 2023
edited
Loading

I guess sshdump is functionally equivalent

https://www.wireshark.org/docs/man-pages/sshdump.html

https://news.ycombinator.com/item?id=38535512

@ElijahLynn
Copy link
Author

Would like to figure out how to do this with a docker container.

e.g. https://hub.docker.com/r/cincan/tshark

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment