How to capture a remote server in different network from home?

Question

I want to capture packets from a remote server using Wireshark. I have a Linux-based server and I can access to it through Putty. This remote server is not on my network. How could I access to a remote server packets and especially MQTT protocol from my home using Wireshark?

I used a remote SSH configuration, but it seems I can't capture the data.

screenshot of wireshark

score 4 · Answer 1 · answered May 13 '21 at 16:10

4

You can run wireshark on remote server (e.g. via ssh) and transfer results back to your machine for convenience.

E.g. this article has an example: ssh root@server.com 'tshark -f "port !22" -w -' | wireshark -k -i - - I'll run capture on remote machine, pipe results to local wireshark where you'd be able to see results in nice GUI.

answered May 13 '21 at 16:10

rvs

4,125
1
27
31

1

You can also run `tcpdump` on remote server and write packets to file, then transfer the file to local machine and analyze in Wireshark. – raj May 13 '21 at 17:11
I tried this command, but I couldn't capture the data? How can I debug this, please ? – Istabraq Mahmood May 13 '21 at 21:36
It is possible to capture the loopback interface in the remote server in the same way? – Istabraq Mahmood May 13 '21 at 21:52

score 0 · Answer 2 · answered May 19 '21 at 21:13

Similar to @rvs answer:

ssh myuser@remote-server.example.com sudo tcpdump --dont-verify-checksums -i any -U -s0 -w - 'port 1883 and src 192.168.0.22' | wireshark -k -i -

Differences:

make use of sudo
use tcpdump instead of tshark

Please mind: you've to install tcpdump on your "server".

It is possible to capture the loopback interface in the remote server in the same way?

Yes, see the parameter -i any ? --> any interface

How to capture a remote server in different network from home?

2 Answers2