Link to home
Start Free TrialLog in
Avatar of J G
J G

asked on

Remote Wireshark Capture

How can I setup a remote  wireshark capture?  I want to capture traffic on a particular switchport, but I can't be onsite.


I have a cisco 2960g and a fortigate 60d
Avatar of John
John
Flag of Canada image

Follow this guide

https://www.wireshark.org/docs/wsug_html_chunked/ChCapInterfaceRemoteSection.html

and note particularly the need for the Remote Packet Capture Protocol service

I use Comm View (Tamosoft) and it has a Remote agent for this.
Avatar of noci
noci

Wireshark should also have a companion t-shark. t-shark is a command line tool, not requiring  full graphics access.
(t-sahrk is part of wireshark install set at least on linux / unix )
Avatar of J G

ASKER

Forgive me if this a dumb question, How would I get the Remote Packet Capture Protocol service to run on the Cisco?
That would be on the workstation on the other side of the Cisco.

So traffic goes through the Cisco switchport to a computer and that is monitoring point you need to use.

From "here" you see the packets on the remote computer.
Avatar of J G

ASKER

I want to sniff a non-windows based  POS system's traffic.  So, based upon my understanding, there is no way to remotely do this, correct?  I can't install the service on the POS system.  

Would the best way be to physically connect a workstation to another port, mirror the ports onto that port, and run a wireshark?
ASKER CERTIFIED SOLUTION
Avatar of John
John
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If you have a remote switch that has copy / mirror / monitor functionality then you can retrieve a copy from all traffic on another port on the switch. So you could use that function to deposti all traffic to a PC that can capture that data.
Not that the target of a mirror port cannot be used as an active connection for the connected equipment in most cases.
And all traffic (sent & received is sent to it, which might be more than the target interface can handle).

(The remote switch must at least be manageable, some (many) do also support this function).