1SSHDUMP(1)              The Wireshark Network Analyzer              SSHDUMP(1)
2
3
4

NAME

6       sshdump - Provide interfaces to capture from a remote host through SSH
7       using a remote capture binary.
8

SYNOPSIS

10       sshdump [ --help ] [ --version ] [ --extcap-interfaces ]
11       [ --extcap-dlts ] [ --extcap-interface=<interface> ]
12       [ --extcap-config ] [ --extcap-capture-filter=<capture filter> ]
13       [ --capture ] [ --fifo=<path to file or pipe> ]
14       [ --remote-host=<IP address> ] [ --remote-port=<TCP port> ]
15       [ --remote-username=<username> ] [ --remote-password=<password> ]
16       [ --sshkey=<public key path<gt ]> [ --remote-interface=<interface> ]
17       [ --remote-capture-command=<capture command> ]
18
19       sshdump --extcap-interfaces
20
21       sshdump --extcap-interface=<interface> --extcap-dlts
22
23       sshdump --extcap-interface=<interface> --extcap-config
24
25       sshdump --extcap-interface=<interface> --fifo=<path to file or pipe>
26       --capture --remote-host=myremotehost --remote-port=22
27       --remote-username=user --remote-interface=eth2
28       --remote-capture-command='tcpdump -U -i eth0 -w-'
29

DESCRIPTION

31       Sshdump is a extcap tool that allows one to run a remote capture tool
32       in a SSH connection. The requirement is that the capture executable
33       must have the capabilities to capture from the wanted interface.
34
35       The feature is functionally equivalent to run commands like
36
37       $ ssh remoteuser@remotehost -p 22222 'tcpdump -U -i IFACE -w -' > FILE
38       & $ wireshark FILE
39
40       $ ssh remoteuser@remotehost '/sbin/dumpcap -i IFACE -P -w - -f "not
41       port 22"' > FILE & $ wireshark FILE
42
43       Supported interfaces:
44
45       1. ssh
46

OPTIONS

48       --help
49           Print program arguments.
50
51       --version
52           Print program version.
53
54       --extcap-interfaces
55           List available interfaces.
56
57       --extcap-interface=<interface>
58           Use specified interfaces.
59
60       --extcap-dlts
61           List DLTs of specified interface.
62
63       --extcap-config
64           List configuration options of specified interface.
65
66       --capture
67           Start capturing from specified interface and write raw packet data
68           to the location specified by --fifo.
69
70       --fifo=<path to file or pipe>
71           Save captured packet to file or send it through pipe.
72
73       --remote-host=<remote host>
74           The address of the remote host for capture.
75
76       --remote-port=<remote port>
77           The SSH port of the remote host.
78
79       --remote-username=<username>
80           The username for ssh authentication.
81
82       --remote-password=<password>
83           The password to use (if not ssh-agent and pubkey are used).
84           WARNING: the passwords are stored in plaintext and visible to all
85           users on this system. It is recommended to use keyfiles with a SSH
86           agent.
87
88       --sshkey=<SSH private key path>
89           The path to a private key for authentication.
90
91       --remote-interface=<remote interface>
92           The remote network interface to capture from.
93
94       --remote-capture-command=<capture command>
95           A custom remote capture command that produces the remote stream
96           that is shown in Wireshark.  The command must be able to produce a
97           PCAP stream written to STDOUT. See below for more examples.
98
99       --extcap-capture-filter=<capture filter>
100           The capture filter
101

EXAMPLES

103       To see program arguments:
104
105           sshdump --help
106
107       To see program version:
108
109           sshdump --version
110
111       To see interfaces:
112
113           sshdump --extcap-interfaces
114
115       Only one interface (ssh) is supported.
116
117         Output:
118           interface {value=ssh}{display=SSH remote capture}
119
120       To see interface DLTs:
121
122           sshdump --extcap-interface=ssh --extcap-dlts
123
124         Output:
125           dlt {number=147}{name=ssh}{display=Remote capture dependent DLT}
126
127       To see interface configuration options:
128
129           sshdump --extcap-interface=ssh --extcap-config
130
131         Output:
132
133           arg {number=0}{call=--remote-host}{display=Remote SSH server address}{type=string}
134               {tooltip=The remote SSH host. It can be both an IP address or a hostname}{required=true}
135           arg {number=1}{call=--remote-port}{display=Remote SSH server port}{type=unsigned}
136               {default=22}{tooltip=The remote SSH host port (1-65535)}{range=1,65535}
137           arg {number=2}{call=--remote-username}{display=Remote SSH server username}{type=string}
138               {default=myusername}{tooltip=The remote SSH username. If not provided, the current user will be used}
139           arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=password}
140               {tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}
141           arg {number=4}{call=--sshkey}{display=Path to SSH private key}{type=fileselect}
142               {tooltip=The path on the local filesystem of the private ssh key}
143           arg {number=5}{call=--sshkey-passphrase}{display=SSH key passphrase}
144               {type=string}{tooltip=Passphrase to unlock the SSH private key}
145           arg {number=6}{call=--remote-interface}{display=Remote interface}{type=string}{default=eth0}
146               {tooltip=The remote network interface used for capture}
147           arg {number=7}{call=--remote-capture-command}{display=Remote capture command}{type=string}
148               {tooltip=The remote command used to capture.}
149           arg {number=8}{call=--remote-filter}{display=Remote capture filter}{type=string}
150               {default=not ((host myip) and port 22)}{tooltip=The remote capture filter}
151           arg {number=9}{call=--remote-count}{display=Packets to capture}{type=unsigned}{default=0}
152               {tooltip=The number of remote packets to capture. (Default: unlimited)}
153
154       To capture:
155
156           sshdump --extcap-interface=ssh --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
157           --remote-username user --remote-filter "not port 22"
158
159       To use different capture binaries:
160
161           sshdump --extcap-interface=ssh --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
162           --remote-capture-command='dumpcap -i eth0 -P -w -'
163
164           sshdump --extcap-interface=ssh --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
165           --remote-capture-command='sudo tcpdump -i eth0 -U -w -'
166
167       NOTE: To stop capturing CTRL+C/kill/terminate application.
168

SEE ALSO

170       wireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1)
171

NOTES

173       Sshdump is part of the Wireshark distribution.  The latest version of
174       Wireshark can be found at <https://www.wireshark.org>.
175
176       HTML versions of the Wireshark project man pages are available at:
177       <https://www.wireshark.org/docs/man-pages>.
178

AUTHORS

180         Original Author
181         -------- ------
182         Dario Lombardo             <lomato[AT]gmail.com>
183
184
185
1862.6.2                             2018-07-18                        SSHDUMP(1)
Impressum