Wireshark can be used to capture all network traffic for further analysis from the local or remote computer. In both cases, when using Linux, root access is required in order to gain direct access to the network interfaces. The captured traffic can be filtered by address, protocol type or port number, either for capture or for display.
There are two filter types:
On Debian style Linux Wireshark can be installed (as root) with:
apt-get install wireshark
To enable remote capture on Linux install tshark with:
apt-get install tshark
and then start Wireshark and connect it to remote computer capture interface with (a public key authentication without password is preferred and, of course, root ssh access has to be enabled):
wireshark -k -i <( ssh root@remote-address-here /usr/bin/tshark -i listening-interface -w - wireshark-options-here )
Or if you have
rpcapd daemon running somewhere you can connect to that remote interface with GUI options in Wireshark (e.g., router with Tomato firmware and custom rpcapd).
Try Wireshark on virtual computer located at
Launch it with
vmware player (open existing virtual machine). See what information can be gathered by just listening to DNS requests while browsing the Internet.