diff --git a/README.md b/README.md new file mode 100644 index 0000000..3d95442 --- /dev/null +++ b/README.md @@ -0,0 +1,79 @@ +# Remote Interface Packet Capture + +Stream packets from a Remote VM directly into Wireshark on your Local Machine. + +### **1. Prerequisites (Local Machine)** + +First, ensure you have the necessary tools installed on your **local computer**. + +```bash +sudo apt update +sudo apt install wireshark +``` + +### **2. Prepare the Pipe (Local Machine)** + +Create a FIFO (First-In, First-Out) pipe file on your **local machine**. This acts as a bridge to feed data from SSH into Wireshark. + +> [!NOTE] +> Do not give this file an extension like `.pcap`. Just a plain name is best. + +```bash +mkfifo /tmp/remote_capture +``` + +### **3. Start Wireshark (Local Machine)** + +Open a terminal on your **local machine** and start Wireshark. It will wait for data to arrive in the pipe you just created. + +```bash +wireshark -k -i /tmp/remote_capture +``` + +- `-k`: Start capturing immediately. +- `-i`: Specify the input interface (our pipe file). + +### **4. Start the Data Stream (Local Machine)** + +Open a **new terminal window** on your **local machine**. Run one of the following commands to connect to the VM and start piping traffic. + +**Option A: Standard Capture (Best for most cases)** +Use this if you have SSH key access (passwordless) or can type the password interactively. + +```bash +ssh @ "sudo tcpdump -s 0 -U -n -w - -i not port 22" > /tmp/remote_capture +``` + +**Option B: If you need to filter multiple ports** +Use this to exclude specific noise (like the SSH port 22 and perhaps a web port 80). + +```bash +ssh @ "sudo tcpdump -s 0 -U -n -w - -i not port 22 and not port 80" > /tmp/remote_capture +``` + +**Option C: If the remote user requires a SUDO password non-interactively** +Use this _only_ if you must automate the sudo password entry (less secure, but sometimes necessary). + +```bash +ssh @ "echo '' | sudo -S tcpdump -s 0 -U -n -w - -i not port 22" > /tmp/remote_capture +``` + +#### tcpdump & SSH Command Reference + +| Flag / Component | Description | +| ----------------------- | ------------------------------------------------------------------------------- | +| `-s 0` | Capture the full packet (don't truncate) | +| `-U` | Packet-buffered mode (sends packets immediately, doesn't wait to fill a buffer) | +| `-n` | Don't resolve DNS names (faster) | +| `-w -` | Write the output to `stdout` (standard output) instead | +| `-i ` | The network interface on the **VM** you want to sniff (e.g., `eth0`) | +| `not port 22` | Crucial. This filters out your own SSH traffic | +| `> /tmp/remote_capture` | Redirects the output from the SSH session into your local pipe file | + +### **Cleanup (When Finished)** + +When you are done, close Wireshark and the terminal running SSH. Then remove the pipe file on your **local machine**: + +```bash +rm /tmp/remote_capture +``` \ No newline at end of file diff --git a/ReadMe.md b/ReadMe.md deleted file mode 100644 index ae2427f..0000000 --- a/ReadMe.md +++ /dev/null @@ -1,31 +0,0 @@ -## Setup dependencies -Install wireshark - -``` -sudo apt install wireshark tcpdump - -``` -Make a FIFO pipe file without any extension (don't make file like filename.pcap or something) -``` -mkfifo /tmp/ - -``` -## Packet Capturing Proccess -Start Wireshark capturing with the following command: -``` -wireshark -k -i /tmp/ - -``` -In another terminal, execute the SSH command: -``` -ssh @ "sudo tcpdump -s 0 -U -n -w - -i not port " > /tmp/filename -``` -and for multiple ports: -``` -ssh @ "sudo tcpdump -s 0 -U -n -w - -i not port and not port " > /tmp/filename -``` - -and if the remote host require sudo password: -``` -ssh @ "echo | sudo -S tcpdump -s 0 -U -n -w - -i not port and not port " > /tmp/filename -