Reputation: 6849
WireShark Remote Capture failed:NFLOG link-layer type filtering not implemented
I followed the official documentation.
My remote-server is CentOS 7.9, and I have installed the wireshark in it.
I use the below command to open my local wireshark software to capture the remote-server's interface packet:
ssh root@remote-server-name 'dumpcap -w - -f "not port 22"' | wireshark -k -i -
but I get error information:
Capturing on 'nflog'
dumpcap: Invalid capture filter "not port 22" for interface nflog!
That string isn't a valid capture filter (NFLOG link-layer type filtering not implemented).
See the User's Guide for a description of the capture filter syntax.
and my local wireshark software display the error:
EDIT-01
I use the below command to special the interface:
ssh root@remote-server-name -i .ssh/id_rsa 'dumpcap -w - -f "not port 22"' | wireshark -k -i em1
but the wireshark says there is no such device:
in my server there exist the em1 indeed.
[root@att ~]# ip a | grep em1
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet remote-ip/29 brd remote-ip scope global noprefixroute em1
Upvotes: 1
Views: 7248
Answers (1)
Reputation: 31
The error message is explaining what is the cause of not being able to capture:
Capturing on 'nflog' dumpcap: Invalid capture filter "not port 22" for interface nflog!
The dumpcap command that is executed on the remote server does not have an argument -i <interface>, this means dumpcap will select the first interface in finds. In this case interface nflog.
All capture filters are compiled based on the link layer type of the interface as some filter elements are only available on interfaces of a certain link-layer type.
In this case the capture filter not port 22 is not a valid capture filter for the link-layer type of interface nflog.
I assume you meant to capture on the ethernet interface of the remote host. You can list the interfaces on the remote host by using the command dumpcap -D. Pick the interface you want to capture on and then add the argument -i <interface> to your dumpcap command in the remote capture command.
Upvotes: 3
Related Questions
- Wireshark - you don't have permission to capture on that device mac
- Wireshark not capturing any packets when I apply 'tcp port http' filter
- tshark gives invalid capture filter error
- tcpdump / wireshark capturing problems
- Wireshark – HTTP filter not working on macOS
- tshark unable filter mac address during live capture
- Wireshark capture filters
- Unable to capture a UDP protocol packet with Wireshark by visiting any website
- Wireshark not capturing HTTPS packets?
- tshark: not able to apply filter while saving the captured packet