Wireshark on remote host through SSH

I was trying to find a way to capture the network interface traffic on a remote server, just to see what (or who!) messed up the Web Services based communication.

I didn’t have to search too long, because my favorite capturing software, Wireshark, can listen on a named pipe. So, below you can find the simplest solution I found (SSH + FIFO) based on this tutorial:

On the client side (my computer – GNU/Linux) type:

mkfifo /tmp/pipe
ssh user@remote-host "tshark -w - not port 22" > /tmp/pipe

Still on the client side, open another terminal and type:

wireshark -k -i /tmp/pipe

Now type the SSH password in the first terminal. Of course you don’t have to do this if you have configured your connection to use the certificates.

Just remember that on the server side you need to install the console-version of the Wireshark named tshark and to log in as a user which has privileges to capture the network traffic.

Now using your client-side Wireshark you can listen to the traffic which comes to and from your remote server.