<?xml version="1.0" ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>sshdump - The Wireshark Network Analyzer 3.0.13</title> <link rel="stylesheet" href="ws.css" type="text/css" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <link rev="made" href="mailto:root@localhost" /> </head> <body> <h1 id="NAME">NAME</h1> <p>sshdump - Provide interfaces to capture from a remote host through SSH using a remote capture binary.</p> <h1 id="SYNOPSIS">SYNOPSIS</h1> <p><b>sshdump</b> <span style="white-space: nowrap;">[ <b>--help</b> ]</span> <span style="white-space: nowrap;">[ <b>--version</b> ]</span> <span style="white-space: nowrap;">[ <b>--extcap-interfaces</b> ]</span> <span style="white-space: nowrap;">[ <b>--extcap-dlts</b> ]</span> <span style="white-space: nowrap;">[ <b>--extcap-interface</b>=<interface> ]</span> <span style="white-space: nowrap;">[ <b>--extcap-config</b> ]</span> <span style="white-space: nowrap;">[ <b>--extcap-capture-filter</b>=<capture filter> ]</span> <span style="white-space: nowrap;">[ <b>--capture</b> ]</span> <span style="white-space: nowrap;">[ <b>--fifo</b>=<path to file or pipe> ]</span> <span style="white-space: nowrap;">[ <b>--remote-host</b>=<IP address> ]</span> <span style="white-space: nowrap;">[ <b>--remote-port</b>=<TCP port> ]</span> <span style="white-space: nowrap;">[ <b>--remote-username</b>=<username> ]</span> <span style="white-space: nowrap;">[ <b>--remote-password</b>=<password> ]</span> <span style="white-space: nowrap;">[ <b>--sshkey</b>=<public key path<gt</span> ]> <span style="white-space: nowrap;">[ <b>--remote-interface</b>=<interface> ]</span> <span style="white-space: nowrap;">[ <b>--remote-capture-command</b>=<capture command> ]</span> <span style="white-space: nowrap;">[ <b>--remote-sudo</b> ]</span></p> <p><b>sshdump</b> <span style="white-space: nowrap;"><b>--extcap-interfaces</b></span></p> <p><b>sshdump</b> <span style="white-space: nowrap;"><b>--extcap-interface</b>=<interface></span> <span style="white-space: nowrap;"><b>--extcap-dlts</b></span></p> <p><b>sshdump</b> <span style="white-space: nowrap;"><b>--extcap-interface</b>=<interface></span> <span style="white-space: nowrap;"><b>--extcap-config</b></span></p> <p><b>sshdump</b> <span style="white-space: nowrap;"><b>--extcap-interface</b>=<interface></span> <span style="white-space: nowrap;"><b>--fifo</b>=<path to file or pipe></span> <span style="white-space: nowrap;"><b>--capture</b></span> <span style="white-space: nowrap;"><b>--remote-host=myremotehost</b></span> <span style="white-space: nowrap;"><b>--remote-port=22</b></span> <span style="white-space: nowrap;"><b>--remote-username=user</b></span> <span style="white-space: nowrap;"><b>--remote-interface=eth2</b></span> <span style="white-space: nowrap;"><b>--remote-capture-command='tcpdump -U -i eth0 -w-'</b></span></p> <h1 id="DESCRIPTION">DESCRIPTION</h1> <p><b>Sshdump</b> is an extcap tool that allows one to run a remote capture tool over a SSH connection. The requirement is that the capture executable must have the capabilities to capture from the wanted interface.</p> <p>The feature is functionally equivalent to run commands like</p> <p>$ ssh remoteuser@remotehost -p 22222 'tcpdump -U -i IFACE -w -' > FILE & $ wireshark FILE</p> <p>$ ssh remoteuser@remotehost '/sbin/dumpcap -i IFACE -P -w - -f "not port 22"' > FILE & $ wireshark FILE</p> <p>$ ssh somehost dumpcap -P -w - -f udp | tshark -i -</p> <p>Supported interfaces:</p> <dl> <dt id="ssh">1. ssh</dt> <dd> </dd> </dl> <h1 id="OPTIONS">OPTIONS</h1> <dl> <dt id="help">--help</dt> <dd> <p>Print program arguments.</p> </dd> <dt id="version">--version</dt> <dd> <p>Print program version.</p> </dd> <dt id="extcap-interfaces">--extcap-interfaces</dt> <dd> <p>List available interfaces.</p> </dd> <dt id="extcap-interface-interface">--extcap-interface=<interface></dt> <dd> <p>Use specified interfaces.</p> </dd> <dt id="extcap-dlts">--extcap-dlts</dt> <dd> <p>List DLTs of specified interface.</p> </dd> <dt id="extcap-config">--extcap-config</dt> <dd> <p>List configuration options of specified interface.</p> </dd> <dt id="capture">--capture</dt> <dd> <p>Start capturing from specified interface and write raw packet data to the location specified by --fifo.</p> </dd> <dt id="fifo-path-to-file-or-pipe">--fifo=<path to file or pipe></dt> <dd> <p>Save captured packet to file or send it through pipe.</p> </dd> <dt id="remote-host-remote-host">--remote-host=<remote host></dt> <dd> <p>The address of the remote host for capture.</p> </dd> <dt id="remote-port-remote-port">--remote-port=<remote port></dt> <dd> <p>The SSH port of the remote host.</p> </dd> <dt id="remote-username-username">--remote-username=<username></dt> <dd> <p>The username for ssh authentication.</p> </dd> <dt id="remote-password-password">--remote-password=<password></dt> <dd> <p>The password to use (if not ssh-agent and pubkey are used). WARNING: the passwords are stored in plaintext and visible to all users on this system. It is recommended to use keyfiles with a SSH agent.</p> </dd> <dt id="sshkey-SSH-private-key-path">--sshkey=<SSH private key path></dt> <dd> <p>The path to a private key for authentication.</p> </dd> <dt id="remote-interface-remote-interface">--remote-interface=<remote interface></dt> <dd> <p>The remote network interface to capture from.</p> </dd> <dt id="remote-capture-command-capture-command">--remote-capture-command=<capture command></dt> <dd> <p>A custom remote capture command that produces the remote stream that is shown in Wireshark. The command must be able to produce a PCAP stream written to STDOUT. See below for more examples.</p> <p>When specified, this command will be used as is, no interface, port or filter options will be added.</p> </dd> <dt id="extcap-capture-filter-capture-filter">--extcap-capture-filter=<capture filter></dt> <dd> <p>The capture filter</p> </dd> </dl> <h1 id="EXAMPLES">EXAMPLES</h1> <p>To see program arguments:</p> <pre><code> sshdump --help</code></pre> <p>To see program version:</p> <pre><code> sshdump --version</code></pre> <p>To see interfaces:</p> <pre><code> sshdump --extcap-interfaces</code></pre> <p>Only one interface (sshdump) is supported.</p> <pre><code> Output: interface {value=sshdump}{display=SSH remote capture}</code></pre> <p>To see interface DLTs:</p> <pre><code> sshdump --extcap-interface=sshdump --extcap-dlts Output: dlt {number=147}{name=sshdump}{display=Remote capture dependent DLT}</code></pre> <p>To see interface configuration options:</p> <pre><code> sshdump --extcap-interface=sshdump --extcap-config Output: arg {number=0}{call=--remote-host}{display=Remote SSH server address}{type=string} {tooltip=The remote SSH host. It can be both an IP address or a hostname}{required=true}{group=Server} arg {number=1}{call=--remote-port}{display=Remote SSH server port}{type=unsigned} {tooltip=The remote SSH host port (1-65535)}{range=1,65535}{group=Server} arg {number=2}{call=--remote-username}{display=Remote SSH server username}{type=string} {tooltip=The remote SSH username. If not provided, the current user will be used}{group=Authentication} arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=password} {tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}{group=Authentication} arg {number=4}{call=--sshkey}{display=Path to SSH private key}{type=fileselect} {tooltip=The path on the local filesystem of the private ssh key}{group=Authentication} arg {number=5}{call=--sshkey-passphrase}{display=SSH key passphrase}{type=password} {tooltip=Passphrase to unlock the SSH private key}{group=Authentication} arg {number=6}{call=--proxycommand}{display=ProxyCommand}{type=string} {tooltip=The command to use as proxy for the SSH connection}{group=Authentication} arg {number=7}{call=--remote-interface}{display=Remote interface}{type=string} {tooltip=The remote network interface used for capture}{group=Capture} arg {number=8}{call=--remote-capture-command}{display=Remote capture command}{type=string} {tooltip=The remote command used to capture}{group=Capture} arg {number=9}{call=--remote-sudo}{display=Use sudo on the remote machine}{type=boolean} {tooltip=Prepend the capture command with sudo on the remote machine}{group=Capture} arg {number=10}{call=--remote-noprom}{display=No promiscuous mode}{type=boolflag} {tooltip=Don't use promiscuous mode on the remote machine}{group=Capture} arg {number=11}{call=--remote-filter}{display=Remote capture filter}{type=string} {tooltip=The remote capture filter}{default=not ((host myhost) and port 22)}{group=Capture} arg {number=12}{call=--remote-count}{display=Packets to capture}{type=unsigned}{default=0} {tooltip=The number of remote packets to capture. (Default: inf)}{group=Capture} arg {number=13}{call=--debug}{display=Run in debug mode}{type=boolflag}{default=false} {tooltip=Print debug messages}{required=false}{group=Debug} arg {number=14}{call=--debug-file}{display=Use a file for debug}{type=string} {tooltip=Set a file where the debug messages are written}{required=false}{group=Debug}</code></pre> <p>To capture:</p> <pre><code> sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10 --remote-username user --remote-filter "not port 22"</code></pre> <p>To use different capture binaries:</p> <pre><code> sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10 --remote-capture-command='dumpcap -i eth0 -P -w -' sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10 --remote-capture-command='sudo tcpdump -i eth0 -U -w -'</code></pre> <p>NOTE: To stop capturing CTRL+C/kill/terminate application.</p> <h1 id="SEE-ALSO">SEE ALSO</h1> <p>wireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1)</p> <h1 id="NOTES">NOTES</h1> <p><b>Sshdump</b> is part of the <b>Wireshark</b> distribution. The latest version of <b>Wireshark</b> can be found at <a href="https://www.wireshark.org">https://www.wireshark.org</a>.</p> <p>HTML versions of the Wireshark project man pages are available at: <a href="https://www.wireshark.org/docs/man-pages">https://www.wireshark.org/docs/man-pages</a>.</p> <h1 id="AUTHORS">AUTHORS</h1> <pre><code> Original Author -------- ------ Dario Lombardo <lomato[AT]gmail.com></code></pre> </body> </html>