Remote Shark 🦈

Remote network packet capture via SSH to Wireshark. Stream packets from a remote Linux server directly to your local Wireshark on Windows - no files saved on the remote server.

Download

⬇️ Download Latest Release

Get the latest remote-shark.exe from the releases page.

Features

• Auto-detection: Finds Wireshark and SSH keys automatically
• SSH Key/Password: Supports both authentication methods
• Configuration Profiles: Save and reuse connection settings
• Interface Discovery: List available network interfaces on remote server
• Live Streaming: Real-time packet capture through encrypted SSH tunnel
• BPF Filters: Apply filters to capture specific traffic
• Clean Exit: Close Wireshark to stop capture automatically

Quick Start

# With password
remote-shark.exe -host 192.168.1.100 -user root -password mypass

# With SSH key (auto-detect)
remote-shark.exe -host 192.168.1.100 -user ubuntu

# With custom SSH key
remote-shark.exe -host 192.168.1.100 -user ubuntu -key ~/.ssh/id_rsa

# With BPF filter
remote-shark.exe -host 192.168.1.100 -user root -password mypass -filter "tcp port 80"

Installation

Prerequisites:

• Windows PC with Wireshark installed
• Remote Linux server with SSH access
• tcpdump or dumpcap installed on remote server (requires sudo)

Build:

go mod tidy
go build -o remote-shark.exe

Usage

remote-shark.exe -host <IP> -user <username> [OPTIONS]

Required

• -host - Remote server IP address
• -user - SSH username

Authentication (one required)

• -password - SSH password
• -key - SSH private key path (auto-detects ~/.ssh/id_rsa or id_ed25519)

Profile Management

• -profile <name> - Load saved profile
• -create-profile <name> - Save current config as profile
• -list-profiles - List all saved profiles

Optional

• -port - SSH port (default: 22)
• -interface - Network interface (default: eth0)
• -list-interfaces - List available interfaces on remote server
• -filter - BPF filter expression
• -wireshark - Wireshark path (auto-detected)
• -snaplen - Snapshot length in bytes (default: 65535)
• -buffer - Buffer size in KB (default: 4096)
• -remote-tool - Use tcpdump or dumpcap (default: tcpdump)

Configuration Profiles

Save frequently used configurations as profiles:

# Create a profile
remote-shark.exe -host 10.101.50.9 -user ies -password mypass -interface enp1s0 -create-profile prod-server

# List all profiles
remote-shark.exe -list-profiles

# Use a profile (just specify profile name)
remote-shark.exe -profile prod-server

Profiles are stored in ~/.remote-shark/profiles/*.yml in YAML format.

Security Note: Profiles can store passwords for convenience, but they are saved as plain text in YAML files. For better security:

• Protect your ~/.remote-shark/profiles/ directory with appropriate file permissions
• Consider using SSH keys instead of passwords
• Don't share profile files containing passwords

List Remote Interfaces

Discover available network interfaces before capturing:

remote-shark.exe -host 192.168.1.100 -user root -password mypass -list-interfaces

Output shows:

• Interface names (eth0, enp1s0, etc.)
• Status (UP/DOWN)
• IP addresses assigned to each interface

Examples

# Capture HTTP traffic
remote-shark.exe -host 10.0.0.50 -user admin -password secret -filter "tcp port 80"

# Capture on specific interface
remote-shark.exe -host 10.0.0.50 -user admin -key ~/.ssh/id_rsa -interface ens33

# Capture from specific host
remote-shark.exe -host 192.168.1.100 -user root -password pass -filter "host 192.168.1.50"

# Exclude SSH traffic
remote-shark.exe -host 192.168.1.100 -user root -password pass -filter "not tcp port 22"

# Custom SSH port
remote-shark.exe -host 10.0.0.50 -port 2222 -user admin -key ~/.ssh/id_ed25519

Common BPF Filters

Filter	Description
tcp port 80	HTTP traffic
tcp port 443	HTTPS traffic
host 192.168.1.1	Traffic to/from IP
net 192.168.1.0/24	Traffic to/from subnet
icmp	ICMP/ping packets
not tcp port 22	Exclude SSH
port 80 or port 443	HTTP or HTTPS

How It Works

Remote Server          SSH Tunnel (Encrypted)          Local Windows PC
┌──────────────┐              ────►              ┌──────────────────┐
│  tcpdump     │                                  │  remote-shark    │
│  (interface) │◄─────────────────────────────────►  (connector)    │
│  └─► stdout  │      No files saved!            │      ↓           │
└──────────────┘                                  │  Wireshark GUI   │
                                                   └──────────────────┘

1. Connects to remote server via SSH
2. Starts tcpdump with sudo on specified interface
3. Streams pcap data through SSH to local machine
4. Opens Wireshark automatically with live capture
5. Close Wireshark to stop capture (automatic cleanup)

Troubleshooting

"Wireshark not found"

• Install from https://www.wireshark.org/ or use -wireshark flag

"Permission denied"

• User needs sudo privileges for tcpdump/dumpcap

"tcpdump: command not found"

# Debian/Ubuntu
sudo apt-get install tcpdump

# RHEL/CentOS
sudo yum install tcpdump

"SSH key not found"

• Use -key flag with full path to your private key
• Or use -password flag instead

Security Notes

⚠️ Current implementation uses:

• InsecureIgnoreHostKey for SSH (no host key verification)
• Passwords visible in process list if used

Best practices:

• Use SSH keys instead of passwords
• Only use on trusted networks
• Only capture traffic you have permission to monitor
• Be aware of data privacy regulations (GDPR, HIPAA, etc.)

Network Interface Names

Common Linux interface names:

• eth0, eth1 - Traditional Ethernet
• enp1s0, enp2s0 - Predictable naming (systemd)
• ens33, ens192 - VMware virtual interfaces
• docker0 - Docker bridge
• wlan0, wlp3s0 - Wireless

List available interfaces:

ssh user@host "ip link show"

License

Utility tool provided as-is. Use responsibly on networks you have permission to monitor.

Contributing

Issues and pull requests welcome at https://github.com/getevo/remote-shark