I hate taking packet captures. I end up taking a ton of them at home and at work. Frankly, this workflow sucks:
# Oh shoot, I need to take a packet capture. evan: ssh firstname.lastname@example.org host: tcpdump -i any -s 0 'not port 22' -w /tmp/foo.cap # In another terminal after making the traffic I want... evan: scp email@example.com:/tmp/foo.cap captures/foo.cap evan: wireshark captures/foo.cap
There's all kinds of garbage that can happen along the way:
/tmp/ (or wherever you're capturing to) could fill up
- Somebody else could clobber your capture file (that's a fun one)
- You might forget to copy the new capture file over
And the whole affair just takes forever. I want live updates! I don't want to fill up precious disk space on my server! I want my capture file to be on my machine!
remotecap, something I built because I was sick of this.
Here's the workflow with remotecap:
evan: remotecap -w captures/foo.cap host.something.net # Screen is cleared and capture size and rate of growth is # printed. # This can be disabled by using -q/--quiet # In another terminal evan: wireshark captures/foo.cap # Now, make the traffic you want to view and simply hit <C-r> in Wireshark
ssh into the target server, run
tcpdump, and then pipe the outback back over
ssh to a file on your system. That's not all it can do, however!
Here's a more complicated example:
remotecap -w captures/some-weird-problem --user notroot --sudo \ --command-path /stupid/path/tcpdump \ --filter 'port 80 and port 443 and port 1234' \ --key ~/somerandomkey --packet-length 1234 \ --known-hosts None \ 10.0.0.5 188.8.131.52:2022 example.org:4561
This will run
tcpdump on three machines simultaneously and put them in a folder named
It also logs in as a non-root user and then uses
sudo to escalate privileges on these machines. The other options are pretty self-explanatory for anyone that has used
tcpdump. My favorite thing is that you can specify the
ssh listening port per host using
: to separate the host from the port.
remotecap is built on top of
asyncssh to do
ssh connections and stream the output and
aiofiles to allow file I/O that won't block the event loop.
Because of this, it performs pretty well. I've been able to take captures on systems that are recieving 500 Mb/s or more.
remotecap, you need to have
python >= 3.6 on your system.
remotecap has been tested on Linux and should probably work on MacOS. I have no clue if this will work on Windows, so sorry there!
To install, simply do the following:
# You could do this with system Python, but that's not really a great idea. # All file paths below are just examples. You can put this # virtualenv wherever you want. evan: python3 -m venv ~/remotecap evan: source ~/remotecap/bin/activate # Make sure that you have libsodium installed. Install it using apt/dnf/pacman/zypper # This also might need a compiler if the wheels don't work. (remotecap) evan: pip install remotecap[recommends] # Bunch of garbage prints (remotecap) evan: remotecap --help
I may create packages for various distros using
fpm at some point, but for now, just use
If you run into any issues or just want to see the source, head on over to
remotecap on Github.