If udpdump is nothing for you, and you are able to run a capture tool like tshark or tcpdump on the remote machine, you can take a look at sshdump. A sibling of udpdump, it executes the remote capture program via ssh, and then transports the data as-is through a ssh-connection. It can be seen as a simple capture device on the host pc.
Roland
Hi Dario,
Udpdump looks interesting, but I'm afraid it doesn't quite fulfill my requirements. Wrapping captured packets inside of UDP packets or IP packets (as in ERSPAN) to allow remote sniffing is an attractive solution, but it comes with several drawbacks. Some of these drawbacks include difficulties in handling captured packets that exceed the MTU between sniffer and collector, how to preserve timestamps from the original capture source etc. Transmitting packets over a TCP connection has a few drawbacks as well, but it's a method that has served me very well over the years.
As of now, I'd say that the primary drawback of using PCAP-over-IP (which really should be called "PCAP-over-TCP") is that Wireshark/tshark can't read this data natively without having to use netcat as a shim between the TCP socket and Wireshar/tshark. I was hoping that there was an extcap solution for this, but I'm guessing I might be out of luck there :(
/erik
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe