Wireshark-users: Re: [Wireshark-users] How to capture packets on a remote machine?
Hi Shiyao,
On Sun, Mar 19, 2017 at 04:13:51PM +0800, Shiyao Ma wrote:
> On my local side, wireshark (latest) is running on macOS 10.12.
>
> On the remote machine, debian (sid), the package wireshark (2.2.5) is
> installed.
>
> I tried using the "ssh remote capture".
>
> But wireshark errs:
> "Capturing from a pipe doesn't support pcapng format."
>
> How to solve that.?
If your remote user has appropriate privileges, try editing "Remote
capture binary", replacing "dumpcap" by "tcpdump".
If this fails (because you are logging in as non-root or because the
tcpdump binary is lacking permissions), you can try creating a script on
the server (e.g. /usr/local/bin/dumpcap or $HOME/bin/dumpcap)
containing:
#!/bin/sh
exec /usr/sbin/dumpcap -P "$@"
Then make the file executable. The "-P" option ensures that the output
format is pcap rather than pcapng since that is (currently?) not
supported. Note that in the next stable version, the "SSH remote
capture" options got reworked, defaulting to tcpdump and allowing you to
specify the full capture command instead of just the binary.
--
Kind regards,
Peter Wu
https://lekensteyn.nl