Skip to content

Instantly share code, notes, and snippets.

@milesrichardson

milesrichardson/wireshark-remote-capture-ssh-docker.md

Last active October 15, 2025 16:28
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save milesrichardson/fcec8c6d54a21845dd9f8f6be73484d1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save milesrichardson/fcec8c6d54a21845dd9f8f6be73484d1 to your computer and use it in GitHub Desktop.
Download ZIP
bash command to open wireshark and capture packets in a remote docker container on a remote machine over SSH
Raw
wireshark-remote-capture-ssh-docker.md

capture those packets

run this command on local machine where wireshark is installed (e.g. MacOS)

export raw_pcap="$(mktemp -t pcap-raw)" ; \
echo "Raw pcap: $raw_pcap" ; \
wireshark -k -i <(ssh [email protected] '\
  docker run --rm \
    --net container:$(docker ps -qf name=haproxy) \
    nicolaka/netshoot:latest \
      tcpdump -s 0 -U -n -w - -i eth0 tcp' \
| tee "$raw_pcap")

In this example:

  • remote docker host is my-cool-server.example.com
  • remote docker container is haproxy (technically the first running container with a name matching haproxy)
  • use image nicolaka/netshoot (dockerhub, github, Dockerfile)
  • capture packets on interface eth0 inside docker container (also see any)
  • some important tcpdump args for remote capture, see explainshell
  • capture tcp packets on eth0 interface (you can replace tcp with any tcpdump filter, e.g. tcp not src port 53)
  • save the raw output to temporary file prefixed with pcap-raw and stored in $pcap_raw (helpful to have a raw copy of the pcap when you close wireshark, although note that wireshark will also create and print a temp file with the name)

Output will look like this (and wireshark should launch):

Raw pcap: /var/folders/np/djbv9lnn5wd62yrs60zxh_p40000gn/T/pcap-raw.goXKpbLr
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
 ** (wireshark:58572) 02:13:53.903682 [Capture MESSAGE] -- Capture Start ...
 ** (wireshark:58572) 02:13:53.995127 [Capture MESSAGE] -- Capture started
 ** (wireshark:58572) 02:13:53.995149 [Capture MESSAGE] -- File: "/var/folders/np/djbv9lnn5wd62yrs60zxh_p40000gn/T/wireshark_63PSVVQ1.pcapng"
 ** (wireshark:58572) 02:16:51.367252 [Capture MESSAGE] -- Capture Stop ...
 ** (wireshark:58572) 02:16:51.433234 [Capture MESSAGE] -- Capture stopped.

is the wireshark command missing?

Unless you installed it via brew, it might not be available or added to your $PATH. You can add it yourself once you find it. On my Mac it's here:

/Applications/Wireshark.app/Contents/MacOS/wireshark

You can also find some installers here, including Add Wireshark to the system path.pkg which you might want to double click:

❯ ls -l /Applications/Wireshark.app/Contents/Resources/Extras/

Add Wireshark to the system path.pkg
Install ChmodBPF.pkg
Remove Wireshark from the system path.pkg
Uninstall ChmodBPF.pkg

You can open that folder in finder (so you can double click the installers) with:

open /Applications/Wireshark.app/Contents/Resources/Extras/
@Kas-tle
Copy link

Kas-tle commented Apr 16, 2024
edited
Loading

I found on windows it can work quite simply in powershell as well:

ssh my-server 'sudo docker run --rm --net container:$(sudo docker ps -qf name=haproxy) nicolaka/netshoot:latest tcpdump -s 0 -U -n -w - ' | wireshark -k -i -

You just have to add the wireshark folder to your path which is not part of the default install so that can be a bit annoying.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment