Skip to content

update readme for better clarity on usage instructions #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
chmodshubham wants to merge 1 commit into
base: main
Choose a base branch
from
Open

update readme for better clarity on usage instructions #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 79 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
# Remote Interface Packet Capture

Stream packets from a Remote VM directly into Wireshark on your Local Machine.

### **1. Prerequisites (Local Machine)**

First, ensure you have the necessary tools installed on your **local computer**.

```bash
sudo apt update
sudo apt install wireshark
```

### **2. Prepare the Pipe (Local Machine)**

Create a FIFO (First-In, First-Out) pipe file on your **local machine**. This acts as a bridge to feed data from SSH into Wireshark.

> [!NOTE]
> Do not give this file an extension like `.pcap`. Just a plain name is best.

```bash
mkfifo /tmp/remote_capture
```

### **3. Start Wireshark (Local Machine)**

Open a terminal on your **local machine** and start Wireshark. It will wait for data to arrive in the pipe you just created.

```bash
wireshark -k -i /tmp/remote_capture
```

- `-k`: Start capturing immediately.
- `-i`: Specify the input interface (our pipe file).

### **4. Start the Data Stream (Local Machine)**

Open a **new terminal window** on your **local machine**. Run one of the following commands to connect to the VM and start piping traffic.

**Option A: Standard Capture (Best for most cases)**
Use this if you have SSH key access (passwordless) or can type the password interactively.

```bash
ssh <user>@<remote_ip> "sudo tcpdump -s 0 -U -n -w - -i <interface_name> not port 22" > /tmp/remote_capture
```

**Option B: If you need to filter multiple ports**
Use this to exclude specific noise (like the SSH port 22 and perhaps a web port 80).

```bash
ssh <user>@<remote_ip> "sudo tcpdump -s 0 -U -n -w - -i <interface_name> not port 22 and not port 80" > /tmp/remote_capture
```

**Option C: If the remote user requires a SUDO password non-interactively**
Use this _only_ if you must automate the sudo password entry (less secure, but sometimes necessary).

```bash
ssh <user>@<remote_ip> "echo '<password>' | sudo -S tcpdump -s 0 -U -n -w - -i <interface_name> not port 22" > /tmp/remote_capture
```

#### tcpdump & SSH Command Reference

| Flag / Component | Description |
| ----------------------- | ------------------------------------------------------------------------------- |
| `-s 0` | Capture the full packet (don't truncate) |
| `-U` | Packet-buffered mode (sends packets immediately, doesn't wait to fill a buffer) |
| `-n` | Don't resolve DNS names (faster) |
| `-w -` | Write the output to `stdout` (standard output) instead |
| `-i <interface_name>` | The network interface on the **VM** you want to sniff (e.g., `eth0`) |
| `not port 22` | Crucial. This filters out your own SSH traffic |
| `> /tmp/remote_capture` | Redirects the output from the SSH session into your local pipe file |

### **Cleanup (When Finished)**

When you are done, close Wireshark and the terminal running SSH. Then remove the pipe file on your **local machine**:

```bash
rm /tmp/remote_capture
```
31 changes: 0 additions & 31 deletions ReadMe.md
View file
Open in desktop

This file was deleted.