Tome of Finite Knowledge

Wireshark over SSH

2 min read

You can use Wireshark to monitor packets moving over various interfaces on an OpenWRT router.

Setup

On the router:

  1. Install tcpdump
    1. Go to OpenWRT LuCI System Software
    2. Update Lists
    3. Search for and install tcpdump
  2. Ensure you can SSH into the router

SSH authentication

Setting up an SSH key is a much more secure way to do this. While OpenWRT allows password logins by default, you’ll have to pass your password around in plaintext unless you set up a key.

On your local machine:

  1. Install Wireshark
    1. If necessary, make sure the sshdump feature is enabled
    2. Make sure you can run wireshark as the user you can SSH into the router from

Usage

  1. Launch Wireshark as the user you SSH into the router from
  2. Select the settings gear icon next to SSH remote capture: sshdump in the interface list
  3. In the Server page:
    1. Set “Remote SSH server address” the router’s IP address
    2. Confirm “Remote SSH server port” 22
  4. In the Authentication page:
    1. Set “Remote SSH server username” root
    2. Click ... by “Path to SSH private key”
      1. Browse to and select the private SSH key file you use to authenticate
  5. In the Capture page:
    1. Set “Remote interface” as needed
    2. Set “Remote capture command selection” tcpdump
    3. Set “Gain capture privilege on the remote machine” none
  6. Check “Save parameters on capture start”
  7. Click Start

Graph View

Backlinks