Ethereal-dev: Re: [Ethereal-dev] Remote online packet capture?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Mike Hall <mlh@xxxxxx>
Date: Thu, 19 Oct 2000 13:17:23 -0500 (CDT)
On Thu, 19 Oct 2000, John McDermott wrote:

> > 
> > Before I go down this road, has anyone else walked it. Has such a
> > remote catpure protocol been written already (I know that RMON does it,
> > but thats slow, painful, and baroque), and if so, has anyone written
> > a "caputre module" for it?
> 
> Now for another approach: the way Ethereal does live capture and display
> is that one process does the capture and another the display.  That
> means that Ethereal has the ability to read in (currently from a pipe)
> the captured data.  The capturing process should not need GTK and that
> could therefore be stripped out.  The pipe could be converted to a
> network socket and you'd have something close to what you describe: it
> would be a distributed Ethereal.

Think along the line of the paragraph above with this.

ssh root@xxxxxxxxxxxxxxxxxxx "tcpdump -n -s 1600 -w - " |
wiretap_pipe_for_ethereal

It works. I had a hack that did this, but I have lost it. It didn't take
much time. You have to setup a RSA key on the sniffer box with no
passphrase. Which means if someone compromises your key on the GUI box,
your hosed.. But function vs. security is always the name of the game.

--Mike

-- 
+===================================================================+
| Mike Hall               Real programmers dream in Java.           |
| mlh@xxxxxx          Linux rules! Everything else just works.      |
+===================================================================+
|             finger mlh@xxxxxx for public PGP key                  |
+===================================================================+