WireShark Remote Capture failed:NFLOG link-layer type filtering not implemented
Question
I followed the official documentation .
My remote-server is CentOS 7.9, and I have installed the wireshark in it.
I use the below command to open my local wireshark software to capture the remote-server's interface packet:
ssh root@remote-server-name 'dumpcap -w - -f "not port 22"' | wireshark -k -i -
but I get error information:
Capturing on 'nflog'
dumpcap: Invalid capture filter "not port 22" for interface nflog!
That string isn't a valid capture filter (NFLOG link-layer type filtering not implemented).
See the User's Guide for a description of the capture filter syntax.
and my local wireshark software display the error:
EDIT-01
I use the below command to special the interface:
ssh root@remote-server-name -i .ssh/id_rsa 'dumpcap -w - -f "not port 22"' | wireshark -k -i em1
but the wireshark says there is no such device:
in my server there exist the em1 indeed.
[root@att ~]# ip a | grep em1
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet remote-ip/29 brd remote-ip scope global noprefixroute em1
2 answers
solution1
2 2020-09-18 18:26:02
The error message is explaining what is the cause of not being able to capture:
Capturing on 'nflog' dumpcap: Invalid capture filter "not port 22" for interface nflog!
The dumpcap command that is executed on the remote server does not have an argument -i <interface> , this means dumpcap will select the first interface in finds. In this case interface nflog .
All capture filters are compiled based on the link layer type of the interface as some filter elements are only available on interfaces of a certain link-layer type.
In this case the capture filter not port 22 is not a valid capture filter for the link-layer type of interface nflog.
I assume you meant to capture on the ethernet interface of the remote host. You can list the interfaces on the remote host by using the command dumpcap -D . Pick the interface you want to capture on and then add the argument -i <interface> to your dumpcap command in the remote capture command.
solution2
-1 2020-09-16 11:24:09
change -f "not port 22"' to -f 'not tcp port 22'"
Just a typo probably.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.