Remote Packet Capture with Wireshark

This guide explains how to configure Wireshark for remote packet capture over SSH using tcpdump.

Prerequisites

• Wireshark installed on your local machine.

• SSH access to the remote host:

  • Either standard SSH with sudo privileges, or

• tcpdump installed on the remote host.

Configuring Remote Capture in Wireshark

Steps in Wireshark

1. Navigate to: Capture ? Options ? Manage Interfaces.

2. Click the options icon next to SSH Remote Capture.

3. Enter the interface details:

   • Remote SSH Server Address: server IP address
   • Remote SSH Server Port: 22

4. In the Authentication tab, provide:

   • Username
   • Password

5. In the Capture tab, specify the Remote Capture Command, for example:

   BASH

   Collapse Copy

   1sudo /usr/sbin/tcpdump -U -i eth0 -w - not port 22

   Click to expand and view more

   This captures all traffic on eth0 while excluding SSH traffic on port 22.

   Tip: To exclude additional ports, extend the command with not port <port_number> for each port.

6. Save the configuration and click Start to begin capturing.

Notes

• Replace eth0 with the actual interface on your remote host.
• Ensure your SSH credentials have the necessary privileges for running tcpdump.
• Use this setup behind VPNs like Tailscale for secure remote captures.

Warning: Capturing all traffic can generate large files. Apply filters where possible to focus on relevant traffic. 1