Wireshark-dev: Re: [Wireshark-dev] Add support for remote capture in linux

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 2 Oct 2015 11:19:45 -0700
On Oct 2, 2015, at 3:35 AM, Dario Lombardo <dario.lombardo.ml@xxxxxxxxx> wrote:

> Remote capture is not currently supported by the current wireshark under linux.

...or any other OS where libpcap doesn't support it; there's nothing Linux-specific about this.

> This can be achieved by ssh + pipe like this
> 
> ssh host 'dumpcap -i bla -w -' | wireshark
> 
> that works flawlessly

...as long as the remote machine has dumpcap installed *and*, if you ssh to that machine:

	1) dumpcap is in your path;

	2) dumpcap has sufficient privileges to capture.

If dumpcap isn't installed, you could try tcpdump, although you'd have to arrange that 1) and 2) be true of tcpdump.

Note also that, even on Windows, where WinPcap does include remote capture support, that only supports remote capture using recapd; "run dumpcap/tcpdump with ssh" could also allow remote capture from Wireshark-on-Windows if the remote machine doesn't support rpcap.

Unfortunately, the link

	https://code.wireshark.org/review/#/c/10740/

doesn't work, so I can't see if there's anything in the code restricting it to Linux, but it should *NOT* be restricted to Linux - or even to UN*X in general.