sshdump - Provide interfaces to capture from a remote host through SSH using a remote capture binary.
sshdump [ --help ] [ --version ] [ --extcap-interfaces ] [ --extcap-dlts ] [ --extcap-interface=<interface> ] [ --extcap-config ] [ --extcap-capture-filter=<capture filter> ] [ --capture ] [ --fifo=<path to file or pipe> ] [ --remote-host=<IP address> ] [ --remote-port=<TCP port> ] [ --remote-username=<username> ] [ --remote-password=<password> ] [ --sshkey=<public key path<gt ]> [ --remote-interface=<interface> ] [ --remote-capture-command=<capture command> ] [ --remote-sudo ]
sshdump --extcap-interfaces
sshdump --extcap-interface=<interface> --extcap-dlts
sshdump --extcap-interface=<interface> --extcap-config
sshdump --extcap-interface=<interface> --fifo=<path to file or pipe> --capture --remote-host=myremotehost --remote-port=22 --remote-username=user --remote-interface=eth2 --remote-capture-command='tcpdump -U -i eth0 -w-'
Sshdump is an extcap tool that allows one to run a remote capture tool over a SSH connection. The requirement is that the capture executable must have the capabilities to capture from the wanted interface.
The feature is functionally equivalent to run commands like
$ ssh remoteuser@remotehost -p 22222 'tcpdump -U -i IFACE -w -' > FILE & $ wireshark FILE
$ ssh remoteuser@remotehost '/sbin/dumpcap -i IFACE -P -w - -f "not port 22"' > FILE & $ wireshark FILE
$ ssh somehost dumpcap -P -w - -f udp | tshark -i -
Supported interfaces:
Print program arguments.
Print program version.
List available interfaces.
Use specified interfaces.
List DLTs of specified interface.
List configuration options of specified interface.
Start capturing from specified interface and write raw packet data to the location specified by --fifo.
Save captured packet to file or send it through pipe.
The address of the remote host for capture.
The SSH port of the remote host.
The username for ssh authentication.
The password to use (if not ssh-agent and pubkey are used). WARNING: the passwords are stored in plaintext and visible to all users on this system. It is recommended to use keyfiles with a SSH agent.
The path to a private key for authentication.
The remote network interface to capture from.
A custom remote capture command that produces the remote stream that is shown in Wireshark. The command must be able to produce a PCAP stream written to STDOUT. See below for more examples.
When specified, this command will be used as is, no interface, port or filter options will be added.
The capture filter
To see program arguments:
sshdump --help
To see program version:
sshdump --version
To see interfaces:
sshdump --extcap-interfaces
Only one interface (sshdump) is supported.
Output:
interface {value=sshdump}{display=SSH remote capture}
To see interface DLTs:
sshdump --extcap-interface=sshdump --extcap-dlts
Output:
dlt {number=147}{name=sshdump}{display=Remote capture dependent DLT}
To see interface configuration options:
sshdump --extcap-interface=sshdump --extcap-config
Output:
arg {number=0}{call=--remote-host}{display=Remote SSH server address}{type=string}
{tooltip=The remote SSH host. It can be both an IP address or a hostname}{required=true}{group=Server}
arg {number=1}{call=--remote-port}{display=Remote SSH server port}{type=unsigned}
{tooltip=The remote SSH host port (1-65535)}{range=1,65535}{group=Server}
arg {number=2}{call=--remote-username}{display=Remote SSH server username}{type=string}
{tooltip=The remote SSH username. If not provided, the current user will be used}{group=Authentication}
arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=password}
{tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}{group=Authentication}
arg {number=4}{call=--sshkey}{display=Path to SSH private key}{type=fileselect}
{tooltip=The path on the local filesystem of the private ssh key}{group=Authentication}
arg {number=5}{call=--sshkey-passphrase}{display=SSH key passphrase}{type=password}
{tooltip=Passphrase to unlock the SSH private key}{group=Authentication}
arg {number=6}{call=--proxycommand}{display=ProxyCommand}{type=string}
{tooltip=The command to use as proxy for the SSH connection}{group=Authentication}
arg {number=7}{call=--remote-interface}{display=Remote interface}{type=string}
{tooltip=The remote network interface used for capture}{group=Capture}
arg {number=8}{call=--remote-capture-command}{display=Remote capture command}{type=string}
{tooltip=The remote command used to capture}{group=Capture}
arg {number=9}{call=--remote-sudo}{display=Use sudo on the remote machine}{type=boolean}
{tooltip=Prepend the capture command with sudo on the remote machine}{group=Capture}
arg {number=10}{call=--remote-noprom}{display=No promiscuous mode}{type=boolflag}
{tooltip=Don't use promiscuous mode on the remote machine}{group=Capture}
arg {number=11}{call=--remote-filter}{display=Remote capture filter}{type=string}
{tooltip=The remote capture filter}{default=not ((host myhost) and port 22)}{group=Capture}
arg {number=12}{call=--remote-count}{display=Packets to capture}{type=unsigned}{default=0}
{tooltip=The number of remote packets to capture. (Default: inf)}{group=Capture}
arg {number=13}{call=--debug}{display=Run in debug mode}{type=boolflag}{default=false}
{tooltip=Print debug messages}{required=false}{group=Debug}
arg {number=14}{call=--debug-file}{display=Use a file for debug}{type=string}
{tooltip=Set a file where the debug messages are written}{required=false}{group=Debug}
To capture:
sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
--remote-username user --remote-filter "not port 22"
To use different capture binaries:
sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
--remote-capture-command='dumpcap -i eth0 -P -w -'
sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
--remote-capture-command='sudo tcpdump -i eth0 -U -w -'
NOTE: To stop capturing CTRL+C/kill/terminate application.
wireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1)
Sshdump is part of the Wireshark distribution. The latest version of Wireshark can be found at https://www.wireshark.org.
HTML versions of the Wireshark project man pages are available at: https://www.wireshark.org/docs/man-pages.
Original Author
-------- ------
Dario Lombardo <lomato[AT]gmail.com>