Tcpdump does buffer the output when writing to a file (our STDOUT in our case), which unfortunately means it might take some time until we can see the traffic in wireshark.
STDIN/STDOUT is represented by - on most platforms. Wireshark's -i option reads from an interface, - as an argument makes STDIN the interface. Tcpdump's option -w with - as an argument writes to STDOUT instead of a file. "c:\Program Files\Wireshark\wireshark.exe" -k -i. Windows CMD with plink (download from putty homepage): plink.exe -l root -pw default 192.168.1.245 "tcpdump -w -s0 -pi 0.0 tcp or udp or icmp" | cygdrive/c/Program\ Files/Wireshark/Wireshark.exe -k -i. The trick is to launch an ssh session without a login shell and run tcpdump through it on the remote system making tcpdump write raw packets to STDOUT while piping it to our local wireshark reading from STDIN.Ĭygwin on Windows # ssh -l root 192.168.1.245 "tcpdump -w -s0 -pi 0.0 tcp or udp or icmp" | SSH access to the BIG-IP, bash or tmsh is fine. We actually can do that without installing X, wireshark and hundreds of libraries on BIG-IP. Posted by Simon Kowallik in on 9:02:38 AM In the post below, Simon shows us how to use the packet tracing tool Wireshark (or any other tool that reads pcaps from tcpdump) directly with BIG-IP using only some slight of hand.Īnyway, I thought this was so awesome that it deserved wider audience so here it is, republished with Simon’s permission. 
“Have you ever wanted to run captures with Wireshark on BIG-IP?”Īnswer: Yes, for like twelve years I wanted to do this! My colleague, Simon Kowallik, recently posted something really cool to our internal message boards.
0 kommentar(er)
