基于wireshark的协议分析wireshark远程抓包

监听该

named pipe

，有数据即开始分析。

remote machine

：

192.168.1.82

local machine

：

192.168.1.86

开启一个终端，执行：

hank@gts ~ $$mkfifo /tmp/pipe

hank@gts ~ $$ssh root@192.168.1.82

开启另一个终端，执行：

hank@gts ~ $$ wireshark -k -i /tmp/pipe

在

/CaptureSetup/Pipes

< br>中，执行

ssh

登录时，没有将输出

重定向到

pipe

中去，于是我对该

wiki

做了修改，修改记录为：

CaptureSetup/Pipes (last edited 2009-05-14 08:02:36 by

hankchan

)

测试三：

netcat

这个测试见

《

How to monitor packets from a remote interface in real time

》

，该方

< br>式设计三台计算机，并且使用了

netcat

，本地接听 某个端口，远程主机将数据发

送到该端口。

remote machine

：

192.168.1.82

local machine

：

192.168.1.86

本地主机执行：

hank@gts ~/wireshark-dev/bin $$ nc -l -p 3000

远程主机执行：

[root@localhost ~]# cat /dev/urandom | nc 192.168.1.86 3000

本地另开一个终端，执行：

gts bin # ./tshark -i eth0 -R ==3000

综上，

SSH + pipe

作为远程抓包是十分理想的方案，前提是能

ssh

登陆远程主机，

并且远程主机上有抓包工具。

附英文原文如下：

Step 5: Capture traffic using a remote machine

Make sure you've finished step 4 successfully!

In this step

: Don't use your local machine to capture traffic as in the previous

steps but use a remote machine to do so.

Remote Capturing is currently very limited:

?

/Pipes

- using a UNIX pipe and use a different tool to capture from

?

/WinPcapRemote

- using [

WinPcap

]'s remote capturing feature (rpcapd) -

currently not supported

?

RMON

- use SNMP's RMON to capture - currently not supported (

Packet Capture Using RMON

explains why it doesn't work well)

Of course, you can use Wireshark installed on a remote machine in combination

with a remote control software (e.g. VNC, Windows Remote Desktop, ...).

XXX - explain special capture filter strings relevant to remote capturing!

Pipes

The following will explain capturing using pipes a bit.

Contents

?

?

?

Pipes

Named pipes

Remote Capture

3.

Special feeding application

4.

Stdin

Before pipes, Wireshark could read the captured packets to display either from a

file (which had been previously created) or for a network interface (in real time).

Since pipes are supported, Wireshark can also read packets from another

application, and shows them in real time. This is useful if you want to watch a

network in real time, and Wireshark cannot capture from that network, e.g.

because it is not an Ethernet network, or it is not on the local machine.

There are three main limitations that you should be aware of:

1.

It is not currently known whether this works on Windows. If you want to

use this on Windows, give it a try and report your results to the

development list (and/or update this page). If you want to help testing, you

should be able to compile Wireshark from sources.

2.

This only works with the de facto standard libpcap format version 2.4, as

described in

Development/LibpcapFileFormat

. Some other formats may work

in theory, but this has not been tested.

3.

Capturing from a pipe is inconvenient, because you have to set up the pipe

and put a file header into the pipe before you can start the capture. A few

patches have been mailed to the development list that could solve this, so

if you find the approach inconvenient, try the patches.