logo

Openplatform.xyz

Placeholder for our stuff related to Telecom, IT, Internet of things (IOT), ESP8266, Raspberry Pi

 

Live remote tracing (packet capture) using plink

 April 2, 2020

This method of taking remote packet capture is useful when

  1. Remote machine doesn't have RPCAP installed.
  2. Remote machine has RPCAP installed but it is behind the firewall. As RPCAP usage random ports to send packet capture, Network Administrators haven't opened the port range.

Plink is a command-line connection tool similar to UNIX ssh. It is mostly used for automated operations. This means that you cannot just double-click on its icon to run it and instead you have to bring up a console window. In order to use Plink, the file plink.exe will need either to be on your PATH or in your current directory.

Documentation - More info on plink : https://the.earth.li/~sgtatham/putty/0.73/htmldoc/Chapter7.html#plink

Tools needed

Plink download link: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

Wireshark download link: https://www.wireshark.org/download.html

tcpdump command should be in your sudoers list for user you are looging with. See in last section how to add tcpdump in sudoers list.

How to start remote packet capture

  1. Open a CMD window
  2. Following command will ssh to the remote machine, run tcpdump command on remote machine and will write packets to the wireshark in your windows machine.
    Please edit the ip address, username, password and path of wireshark.

Plink_command1

plink_wireshark

 

In case your remote machine is running in AWS and you want to login with key pair file, use following command




Incase above commands ask for password, that means tcpdump is not in your sudoers list.

Add tcpdump in sudoers list

Replace username with your user name who will be taking remote capture

  1. Login with root user
  2. Find full path of tcpdump
    # find / -name 'tcpdump'
    /usr/sbin/tcpdump
  3. # cd /etc/sudoers.d/
  4. Make a file for user if not already exists and add tcpdump command
    username ALL=(ALL) NOPASSWD:/usr/sbin/tcpdump
  5. Here is an example, where debug is my username who will be running remote capture
    # cat debug
    debug ALL=(ALL) NOPASSWD:/usr/sbin/tcpdump
  6. Logout and Login with username. It should be able to run "sudo /usr/sbin/tcpdump" without password.


Suresh Hariramani

I am an IOT enthusiast with more than 20 years of experience in the IT sector. Specializing in telecom service's; follow me for some very innovative and best in class IOT products as I unfold my knowledge and passion for the subject.


Vatsal Hariramani

Just me, myself and I, exploring the universe of uknownment. I have a heart of love and interests in technology, IOT and travel . And I want to share my world with you .