1SSHDUMP(1) The Wireshark Network Analyzer SSHDUMP(1)
2
6 sshdump - Provide interfaces to capture from a remote host through SSH
7 using a remote capture binary.
8
10 sshdump [ --help ] [ --version ] [ --extcap-interfaces ]
11 [ --extcap-dlts ] [ --extcap-interface=<interface> ]
12 [ --extcap-config ] [ --extcap-capture-filter=<capture filter> ]
13 [ --capture ] [ --fifo=<path to file or pipe> ]
14 [ --remote-host=<IP address> ] [ --remote-port=<TCP port> ]
15 [ --remote-username=<username> ] [ --remote-password=<password> ]
16 [ --sshkey=<public key path<gt ]> [ --remote-interface=<interface> ]
17 [ --remote-capture-command=<capture command> ] [ --remote-sudo ]
18 sshdump --extcap-interfaces
20 sshdump --extcap-interface=<interface> --extcap-dlts
22 sshdump --extcap-interface=<interface> --extcap-config
24 sshdump --extcap-interface=<interface> --fifo=<path to file or pipe>
26 --capture --remote-host=myremotehost --remote-port=22
27 --remote-username=user --remote-interface=eth2
28 --remote-capture-command='tcpdump -U -i eth0 -w-'
29
31 Sshdump is an extcap tool that allows one to run a remote capture tool
32 over a SSH connection. The requirement is that the capture executable
33 must have the capabilities to capture from the wanted interface.
34 The feature is functionally equivalent to run commands like
36 $ ssh remoteuser@remotehost -p 22222 'tcpdump -U -i IFACE -w -' > FILE &
38 $ wireshark FILE
39 $ ssh remoteuser@remotehost '/sbin/dumpcap -i IFACE -P -w - -f "not port 22"' > FILE &
41 $ wireshark FILE
42 $ ssh somehost dumpcap -P -w - -f udp | tshark -i -
44 Typically sshdump is not invoked directly. Instead it can be configured
46 through the Wireshark graphical user interface or its command line. The
47 following will start Wireshark and start capturing from host
48 remotehost:
49 $ wireshark '-oextcap.sshdump.remotehost:"remotehost"' -i sshdump -k
51 To explicitly control the remote capture command:
53 $ wireshark '-oextcap.sshdump.remotehost:"remotehost"' \
55 '-oextcap.sshdump.remotecapturecommand:"tcpdump -i eth0 -Uw- not port 22"' \
56 -i sshdump -k
57 Supported interfaces:
59 1. ssh
61
63 --help
64 Print program arguments.
65 --version
67 Print program version.
68 --extcap-interfaces
70 List available interfaces.
71 --extcap-interface=<interface>
73 Use specified interfaces.
74 --extcap-dlts
76 List DLTs of specified interface.
77 --extcap-config
79 List configuration options of specified interface.
80 --capture
82 Start capturing from specified interface and write raw packet data
83 to the location specified by --fifo.
84 --fifo=<path to file or pipe>
86 Save captured packet to file or send it through pipe.
87 --remote-host=<remote host>
89 The address of the remote host for capture.
90 --remote-port=<remote port>
92 The SSH port of the remote host.
93 --remote-username=<username>
95 The username for ssh authentication.
96 --remote-password=<password>
98 The password to use (if not ssh-agent and pubkey are used).
99 WARNING: the passwords are stored in plaintext and visible to all
100 users on this system. It is recommended to use keyfiles with a SSH
101 agent.
102 --sshkey=<SSH private key path>
104 The path to a private key for authentication.
105 --remote-interface=<remote interface>
107 The remote network interface to capture from.
108 --remote-capture-command=<capture command>
110 A custom remote capture command that produces the remote stream
111 that is shown in Wireshark. The command must be able to produce a
112 PCAP stream written to STDOUT. See below for more examples.
113 If using tcpdump, use the -w- option to ensure that packets are
115 written to standard output (stdout). Include the -U option to write
116 packets as soon as they are received.
117 When specified, this command will be used as is, options such as
119 the capture filter (--extcap-capture-filter) will not be appended.
120 --extcap-capture-filter=<capture filter>
122 The capture filter. It corresponds to the value provided via the
123 tshark -f option, and the Capture Filter field next to the
124 interfaces list in the Wireshark interface.
125
127 To see program arguments:
128 sshdump --help
130 To see program version:
132 sshdump --version
134 To see interfaces:
136 sshdump --extcap-interfaces
138 Only one interface (sshdump) is supported.
140 Output:
142 interface {value=sshdump}{display=SSH remote capture}
143 To see interface DLTs:
145 sshdump --extcap-interface=sshdump --extcap-dlts
147 Output:
149 dlt {number=147}{name=sshdump}{display=Remote capture dependent DLT}
150 To see interface configuration options:
152 sshdump --extcap-interface=sshdump --extcap-config
154 Output:
156 arg {number=0}{call=--remote-host}{display=Remote SSH server address}{type=string}
158 {tooltip=The remote SSH host. It can be both an IP address or a hostname}{required=true}{group=Server}
159 arg {number=1}{call=--remote-port}{display=Remote SSH server port}{type=unsigned}
160 {tooltip=The remote SSH host port (1-65535)}{range=1,65535}{group=Server}
161 arg {number=2}{call=--remote-username}{display=Remote SSH server username}{type=string}
162 {tooltip=The remote SSH username. If not provided, the current user will be used}{group=Authentication}
163 arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=password}
164 {tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}{group=Authentication}
165 arg {number=4}{call=--sshkey}{display=Path to SSH private key}{type=fileselect}
166 {tooltip=The path on the local filesystem of the private ssh key}{group=Authentication}
167 arg {number=5}{call=--sshkey-passphrase}{display=SSH key passphrase}{type=password}
168 {tooltip=Passphrase to unlock the SSH private key}{group=Authentication}
169 arg {number=6}{call=--proxycommand}{display=ProxyCommand}{type=string}
170 {tooltip=The command to use as proxy for the SSH connection}{group=Authentication}
171 arg {number=7}{call=--remote-interface}{display=Remote interface}{type=string}
172 {tooltip=The remote network interface used for capture}{group=Capture}
173 arg {number=8}{call=--remote-capture-command}{display=Remote capture command}{type=string}
174 {tooltip=The remote command used to capture}{group=Capture}
175 arg {number=9}{call=--remote-sudo}{display=Use sudo on the remote machine}{type=boolean}
176 {tooltip=Prepend the capture command with sudo on the remote machine}{group=Capture}
177 arg {number=10}{call=--remote-noprom}{display=No promiscuous mode}{type=boolflag}
178 {tooltip=Don't use promiscuous mode on the remote machine}{group=Capture}
179 arg {number=11}{call=--remote-filter}{display=Remote capture filter}{type=string}
180 {tooltip=The remote capture filter}{default=not ((host myhost) and port 22)}{group=Capture}
181 arg {number=12}{call=--remote-count}{display=Packets to capture}{type=unsigned}{default=0}
182 {tooltip=The number of remote packets to capture. (Default: inf)}{group=Capture}
183 arg {number=13}{call=--debug}{display=Run in debug mode}{type=boolflag}{default=false}
184 {tooltip=Print debug messages}{required=false}{group=Debug}
185 arg {number=14}{call=--debug-file}{display=Use a file for debug}{type=string}
186 {tooltip=Set a file where the debug messages are written}{required=false}{group=Debug}
187 To capture:
189 sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
191 --remote-username user --remote-filter "not port 22"
192 To use different capture binaries:
194 sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
196 --remote-capture-command='dumpcap -i eth0 -P -w -'
197 sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
199 --remote-capture-command='sudo tcpdump -i eth0 -U -w -'
200 NOTE: To stop capturing CTRL+C/kill/terminate application.
202 The sshdump binary can be renamed to support multiple instances. For
204 instance if we want sshdump to show up twice in wireshark (for instance
205 to handle multiple profiles), we can copy sshdump to sshdump-host1 and
206 sshdump-host2. Each binary will show up an interface name same as the
207 executable name. Those executables not being "sshdump" will show up as
208 "custom version" in the interface description.
209
211 wireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1)
212
214 Sshdump is part of the Wireshark distribution. The latest version of
215 Wireshark can be found at <https://www.wireshark.org>.
216 HTML versions of the Wireshark project man pages are available at:
218 <https://www.wireshark.org/docs/man-pages>.
219
221 Original Author
222 -------- ------
223 Dario Lombardo <lomato[AT]gmail.com>
2243.4.4 2021-03-16 SSHDUMP(1)