Capture Packets from TCPDump over SSH

This is a short one, but I wanted to document this since I figured it out once before and forgot how to do it and had to re-figure it out.

I wanted to capture packets directly from my Edgerouter Lite. The good thing is the ERL has TCPdump. The bad thing is I don’t want to write a PCAP file to the ERL’s storage. Instead I wanted to write the output to a remote file.

To do so, I needed to do the following:

ssh admin@192.168.200.1 -p 8022 "sudo tcpdump -i eth0 -w -" > capture.pcap

From a Linux box I have on my network, this command first opens an SSH session to my ERL over port 8022 (which is what I have SSH configured to listen on). From here, it executes the tcpdump command on the ERL, where I specified to capture on the eth0 interface. We then write the output to stdout. This output gets written to a file called capture.pcap on the Linux box.

From here, all we need to do is open the PCAP file in Wireshark and we’re golden. I was getting some warnings stating the capture had some truncated packets or something, but that’s just because I ended the packet capture by using CTRL-C. I could specify how many packets to capture to make a clean file, but I was able to get what I was looking for regardless.

Leave a Reply