UniFi
Summary
...
Packet Capture
Remote PCap via SSH
Info: For this to work, Wireshark must be installed with the "Sshdump and Ciscodump" option selected. If you don't see SSH Remote Capture listed as an interface in your Wireshark, you can re-run the installation program to select "Sshdump and Ciscodump".
Follow the instructions below to perform a remote packet capture from your UniFi device to Wireshark on your workstation, over SSH.
Enable SSH Password Authentication
- SSH into your UniFi device and edit the
/etc/ssh/sshd_configfile. - Change
PasswordAuthenticationto yes, and save the file. - Restart SSHD (non-service-impacting) by running
systemctl restart sshd
Configure Wireshark
Open Wireshark and select SSH Remote Capture as the interface. If the Interface Options window doesn't pop up, click the gear next to SSH Remote Capture.
Go thru the four tabs and configure as follows:
Server
- Remote SSH server address
- IP/hostname of your UniFi device.
- Remote SSH server port
- 22
Authentication
- Remote SSH server username
- root
- Remote SSH server password
- <root_password>
Leave the rest as default values.
Capture
- Remote interface
- interface name obtained from
ip addr - Remote capture command selection
- tcpdump
- Remote capture command
/usr/sbin/tcpdump -nn -s 0 -w -- Gain capture privilege on the remote machine
- sudo
Leave the rest as default values.
Debug
Leave all as default values.
Info: You will have to re-enter the Remote SSH server password each time you open Wireshark.