Wireshark remote sniffing without rpcapd

Wireshark for windows

After reading my article about rpcapd, Peter Calum sent me this message:

I can not use rcapd because of the problem with the random chosen port for the data transfer, because of the FW between our office network and our technical network servers. Our wireshark collecting host is placed here.

But after some work I found another solution which works real fine : Pipe a tcpdump command on the collecting host back trough SSH.
I use plink.exe which comes with PuTTY

Make a command file with the tcpdump command :

tcpdump -s0 -w - -i eth0 not port 22

Run

plink.exe -ssh -pw mypassword root@192.168.1.10 -m commands.txt | "c:program fileswiresharkwireshark.exe" -k -i –

when you send the command wireshark starts up and shows the data … voila

Wireshark for linux

And from linux, just run :

ssh root@192.168.5.228 "tcpdump -w - host 192.168.5.219" | wireshark -k -i -