[psophis]

This is very cool. Though I’ve always done remote wireshark captures:

    ssh root@sniff_server_ip -p port tcpdump -U -s0 'not port 22' -i eth0 -w - | wireshark -k -i -

Source: https://serverfault.com/questions/362529/how-can-i-sniff-the...

It works very well on low volume captures.

[turrini]

I've made a simple script based on your example:

wirelive.sh:

  #!/bin/bash
  
  if [[ -z "$1" ]]; then
      echo -e "Usage: $(basename $0) <host[:port]> <interface> [filters]"
      exit
  fi
  
  ssh_host=$(echo $1 | cut -d: -f1)
  ssh_port=$(echo $1 | cut -s -d: -f2)
  [[ -z "$ssh_port" ]] && ssh_port=22
  [[ -z "$2" ]] && tcpdump_interface="any" || tcpdump_interface="$2"
  [[ ! -z "$3" ]] && tcpdump_filters="and \($3\)"
  
  ssh root@${ssh_host} -p ${ssh_port} \
      tcpdump -U -s0 "not port ${ssh_port} ${tcpdump_filters}" -i ${tcpdump_interface} -w - \
      | wireshark -k -i -

[pstuart]

nice, but a small nit: you don't need to quote variables inside bash double brackets.

[neilv]

This method even worked for Wiresharking all PS3 traffic in real time for a GTA Online session, running the tcpdump on a little plastic old mipsel SoC OpenWrt router that was also doing all the routing (not a passive sniffing box), without noticeable effect on gameplay. (I was trying to detect cheaters.)

BTW, for anyone new to tcpdump, you can also specify selectors/filtering on the command line, to reduce the traffic. The filtering in Wireshark is on top of that.

[kayoone]

online games are pretty low volume though, data is usually transmitted at a few Kbps per player. Just out of interest, how did you try to spot cheaters doing that?

[kodisha]

Not quite in their interest to publicly explain methods of how they detect cheaters :)

It's one of best guarded secrets in gaming industry.

[kayoone]

OP does not sound like he was actually working for Rockstar on GTA, more like a hobby project

[neilv]

Correct, not working for Rockstar. And I'm pretty sure R* stopped caring about cheaters ruining Online for last-gen console, shortly after that could push people to buy the game again, for current-gen. :)

[stjohnswarts]

Wouldn't they just cheat with some of the common methods and train some AI with the packet dumps to spot it?

[Something1234]

Perhaps he was looking for an abnormal amount of traffic, attempting to resend the same message, and hoping the server will do it multiple times in the same frame. I would guess trying to find spots where the client is overly trusted.

[gsich]

Game traffic is usually encrypted. How good depends on the game. So you might only see some packets with a larger payload and deduce stuff from there.

[iammeow]

Came here to write the very same command. I only use -l instead of -U. In Windows using WSL I use something like this:

  ssh root@remotehost "tcpdump -i eth1 -s0 -l -w - 'udp'" | /mnt/c/Program\ Files/Wireshark/Wireshark.exe -k -i -

[kees99]

Option "-l" only supposed to be used with text output. When mis-applied to binary (-w) output, it will:

- On Linux, flush buffer at wrong places, breaking last (few) packet(s);

- On Windows, flush buffer after every byte (which gives acceptable result, but is very inefficient).

With "-w", always use "-U" instead.

[iammeow]

Thank you so much, not had a clue

[unixhero]

Who would have known that :) I sense a project developer is contributing to the discussion here :).

[ssebastianj]

Indeed, this method is cool. It allowed me to sniff the traffic between some poorly documented IoT device and a remote server (unencrypted, what else) via OpenWrt:

[0] https://openwrt.org/docs/guide-user/firewall/misc/tcpdump_wi...

[kevintb]

ah, very handy!