If udpdump is nothing for you, and you are able to run a capture tool like tshark or tcpdump on the remote machine, you can take a look at sshdump. A sibling of udpdump, it executes the remote capture program via ssh, and then transports the data as-is through a ssh-connection. It can be seen as a simple capture device on the host pc.
Roland Am Mo., 31. Jan. 2022 um 19:53 Uhr schrieb Erik Hjelmvik < erik.hjelm...@gmail.com>: > Hi Dario, > > Udpdump looks interesting, but I'm afraid it doesn't quite fulfill my > requirements. Wrapping captured packets inside of UDP packets or IP packets > (as in ERSPAN) to allow remote sniffing is an attractive solution, but it > comes with several drawbacks. Some of these drawbacks include difficulties > in handling captured packets that exceed the MTU between sniffer and > collector, how to preserve timestamps from the original capture source etc. > Transmitting packets over a TCP connection has a few drawbacks as well, but > it's a method that has served me very well over the years. > > As of now, I'd say that the primary drawback of using PCAP-over-IP (which > really should be called "PCAP-over-TCP") is that Wireshark/tshark can't > read this data natively without having to use netcat as a shim between the > TCP socket and Wireshar/tshark. I was hoping that there was an extcap > solution for this, but I'm guessing I might be out of luck there :( > > /erik > > Den mån 31 jan. 2022 kl 14:02 skrev Dario Lombardo <lom...@gmail.com>: > >> You can have a look at udpdump, which doesn't use TCP but UDP, but it may >> fit your purpose. >> >> On Mon, Jan 31, 2022 at 1:57 PM Erik Hjelmvik <erik.hjelm...@gmail.com> >> wrote: >> >>> Hello folks, >>> >>> Is there some way to read PCAP-over-IP in Wireshark? I.e. read a PCAP >>> stream over a TCP socket. >>> >>> Currently, the best solution to read PCAP-over-IP in Wireshark is by >>> using netcat to read the PCAP stream and forward it to Wireshark's STDIN >>> like this: >>> nc localhost 57012 | wireshark -k -i - >>> >>> But it would be much nicer if this data could be read directly without >>> having to use netcat. Maybe as an extcap interface? >>> >>> Best regards, >>> Erik >>> >>> ___________________________________________________________________________ >>> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >>> Archives: https://www.wireshark.org/lists/wireshark-dev >>> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev >>> mailto:wireshark-dev-requ...@wireshark.org >>> ?subject=unsubscribe >>> >> >> >> -- >> >> Naima is online. >> >> >> ___________________________________________________________________________ >> Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> >> Archives: https://www.wireshark.org/lists/wireshark-dev >> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev >> mailto:wireshark-dev-requ...@wireshark.org >> ?subject=unsubscribe >> > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe >
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe