J G
asked on
Remote Wireshark Capture
How can I setup a remote wireshark capture? I want to capture traffic on a particular switchport, but I can't be onsite.
I have a cisco 2960g and a fortigate 60d
I have a cisco 2960g and a fortigate 60d
Wireshark should also have a companion t-shark. t-shark is a command line tool, not requiring full graphics access.
(t-sahrk is part of wireshark install set at least on linux / unix )
(t-sahrk is part of wireshark install set at least on linux / unix )
ASKER
Forgive me if this a dumb question, How would I get the Remote Packet Capture Protocol service to run on the Cisco?
That would be on the workstation on the other side of the Cisco.
So traffic goes through the Cisco switchport to a computer and that is monitoring point you need to use.
From "here" you see the packets on the remote computer.
So traffic goes through the Cisco switchport to a computer and that is monitoring point you need to use.
From "here" you see the packets on the remote computer.
ASKER
I want to sniff a non-windows based POS system's traffic. So, based upon my understanding, there is no way to remotely do this, correct? I can't install the service on the POS system.
Would the best way be to physically connect a workstation to another port, mirror the ports onto that port, and run a wireshark?
Would the best way be to physically connect a workstation to another port, mirror the ports onto that port, and run a wireshark?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you have a remote switch that has copy / mirror / monitor functionality then you can retrieve a copy from all traffic on another port on the switch. So you could use that function to deposti all traffic to a PC that can capture that data.
Not that the target of a mirror port cannot be used as an active connection for the connected equipment in most cases.
And all traffic (sent & received is sent to it, which might be more than the target interface can handle).
(The remote switch must at least be manageable, some (many) do also support this function).
Not that the target of a mirror port cannot be used as an active connection for the connected equipment in most cases.
And all traffic (sent & received is sent to it, which might be more than the target interface can handle).
(The remote switch must at least be manageable, some (many) do also support this function).
https://www.wireshark.org/docs/wsug_html_chunked/ChCapInterfaceRemoteSection.html
and note particularly the need for the Remote Packet Capture Protocol service
I use Comm View (Tamosoft) and it has a Remote agent for this.