2

In my day-to-day operations, I frequently need to execute tcpdump's on remote servers, and it's a pain to save the output to a file and then have to move the file to my laptop to analyze it on wireshark.

I was exploring the command below, and it works fine in linux

ssh <remote_host> sudo tcpdump -vv -i eth0 -U -w - | wireshark -k -i -

But, unfortunately, my work laptop that is provided by my company has windows on it, and they don't allow me to change to another OS. Given this restriction, I was trying to achieve the same result, but in windows...

If i execute the following command in windows in a powershell

ssh <remote_host> sudo tcpdump -vv -i eth0 -U -w - | 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -

I get this error

    At line:1 char:87
+ ...  -i eth0 -U -w - | 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -
+                                                                   ~~
Unexpected token '-k' in expression or statement.
At line:1 char:44
+ ...  -i eth0 -U -w - | 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -
+                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Expressions are only allowed as the first element of a pipeline.
At line:1 char:90
+ ...  -i eth0 -U -w - | 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -
+                                                                      ~~
Unexpected token '-i' in expression or statement.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken

If I execute the wireshark command without the ssh part I get the same error, but if I execute it like this

& 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -

It opens wireshark and waits for data input. With this in mind I tried to change the command to

ssh <remote_host> sudo tcpdump -vv -i eth0 -U -w - | & 'C:\Program Files\Wireshark\Wireshark.exe' -k -i -

This way the ssh command gets executed and the tcpdump starts in the remote host, the wireshark never starts. What am I doing wrong? Why is the piped command that is most similar to the one in linux doesnt work in windows, is piping different?

BANJOSA
  • 370
  • 1
  • 3
  • 15
  • 1
    looks like a powershell problem to me... perhaops try using cmd instead? – Jasen Jun 18 '21 at 12:13
  • You, sir, are a genius! Thanks for the hint. Its works in CMD, indeed it seems to be an issue with PowerShell. But, if the user needs a password to execute the TCPDUMP, which usually it needs, then the error ```GetConsoleMode on hOutputConsole failed with 6``` is presented. – BANJOSA Jun 18 '21 at 14:08
  • There's probably a way to do it with powershell,but I don't know much about powershell. You should probably add the powershell tag and remove some of the unnecessary tags. – Jasen Jun 19 '21 at 00:38

1 Answers1

0

As mentioned by @Jasen in the comments, I attempted the command without using PowerShell but instead using Git Bash on Windows 10.

#!/bin/bash
server=<remote-host>
iface="ens6"
ssh $server "tcpdump -s 0 -U -n -w - -i $iface not port 22" | wireshark -k -i -

This script assumes you have GitBash and wireshark installed on your Windows machine, as well as the server and host communicating via public key authentication. Make sure you have root privileges when using tcpdump. Port 22 is explicitly ignored so ssh traffic is not visible during the packet sniffing session.

kyrlon
  • 119
  • 4