1CISCODUMP(1) The Wireshark Network Analyzer CISCODUMP(1)
2
3
4
6 ciscodump - Provide interfaces to capture from a remote Cisco router
7 through SSH.
8
10 ciscodump [ --help ] [ --version ] [ --extcap-interfaces ]
11 [ --extcap-dlts ] [ --extcap-interface=<interface> ]
12 [ --extcap-config ] [ --extcap-capture-filter=<capture filter> ]
13 [ --capture ] [ --fifo=<path to file or pipe> ]
14 [ --remote-host=<IP address> ] [ --remote-port=<TCP port> ]
15 [ --remote-username=<username> ] [ --remote-password=<password> ]
16 [ --remote-filter=<filter<gt ]> [ --sshkey=<public key path<gt ]>
17 [ --remote-interface=<interface> ]
18
19 ciscodump --extcap-interfaces
20
21 ciscodump --extcap-interface=<interface> --extcap-dlts
22
23 ciscodump --extcap-interface=<interface> --extcap-config
24
25 ciscodump --extcap-interface=<interface> --fifo=<path to file or pipe>
26 --capture --remote-host=remoterouter --remote-port=22
27 --remote-username=user --remote-interface=<the router interface>
28
30 Ciscodump is an extcap tool that relies on Cisco EPC to allow a user to
31 run a remote capture on a Cisco router in a SSH connection. The minimum
32 IOS version supporting this feature is 12.4(20)T. More details can be
33 found here:
34 https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-embedded-packet-capture/datasheet_c78-502727.html
35
36 Supported interfaces:
37
38 1. cisco
39
41 --help
42 Print program arguments.
43
44 --version
45 Print program version.
46
47 --extcap-interfaces
48 List available interfaces.
49
50 --extcap-interface=<interface>
51 Use specified interfaces.
52
53 --extcap-dlts
54 List DLTs of specified interface.
55
56 --extcap-config
57 List configuration options of specified interface.
58
59 --capture
60 Start capturing from specified interface and save it in place
61 specified by --fifo.
62
63 --fifo=<path to file or pipe>
64 Save captured packet to file or send it through pipe.
65
66 --remote-host=<remote host>
67 The address of the remote host for capture.
68
69 --remote-port=<remote port>
70 The SSH port of the remote host.
71
72 --remote-username=<username>
73 The username for ssh authentication.
74
75 --remote-password=<password>
76 The password to use (if not ssh-agent and pubkey are used).
77 WARNING: the passwords are stored in plaintext and visible to all
78 users on this system. It is recommended to use keyfiles with a SSH
79 agent.
80
81 --remote-filter=<filter>
82 The remote filter on the router. This is a capture filter that
83 follows the Cisco IOS standards
84 (https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html).
85 Multiple filters can be specified using a comma between them.
86 BEWARE: when using a filter, the default behavior is to drop all
87 the packets except the ones that fall into the filter.
88
89 Examples:
90
91 permit ip host MYHOST any, permit ip any host MYHOST (capture the traffic for MYHOST)
92
93 deny ip host MYHOST any, deny ip any host MYHOST, permit ip any any (capture all the traffic except MYHOST)
94
95 --sshkey=<SSH private key path>
96 The path to a private key for authentication.
97
98 --remote-interface=<remote interface>
99 The remote network interface to capture from.
100
101 --extcap-capture-filter=<capture filter>
102 Unused (compatibility only).
103
105 To see program arguments:
106
107 ciscodump --help
108
109 To see program version:
110
111 ciscodump --version
112
113 To see interfaces:
114
115 ciscodump --extcap-interfaces
116
117 Only one interface (cisco) is supported.
118
119 Output:
120 interface {value=cisco}{display=SSH remote capture}
121
122 To see interface DLTs:
123
124 ciscodump --extcap-interface=cisco --extcap-dlts
125
126 Output:
127 dlt {number=147}{name=cisco}{display=Remote capture dependent DLT}
128
129 To see interface configuration options:
130
131 ciscodump --extcap-interface=cisco --extcap-config
132
133 Output:
134 ciscodump --extcap-interface=cisco --extcap-config
135 arg {number=0}{call=--remote-host}{display=Remote SSH server address}
136 {type=string}{tooltip=The remote SSH host. It can be both an IP address or a hostname}
137 {required=true}
138 arg {number=1}{call=--remote-port}{display=Remote SSH server port}{type=unsigned}
139 {default=22}{tooltip=The remote SSH host port (1-65535)}{range=1,65535}
140 arg {number=2}{call=--remote-username}{display=Remote SSH server username}{type=string}
141 {default=<current user>}{tooltip=The remote SSH username. If not provided, the current
142 user will be used}
143 arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=string}
144 {tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}
145 arg {number=4}{call=--sshkey}{display=Path to SSH private key}{type=fileselect}
146 {tooltip=The path on the local filesystem of the private ssh key}
147 arg {number=5}{call--sshkey-passphrase}{display=SSH key passphrase}
148 {type=string}{tooltip=Passphrase to unlock the SSH private key}
149 arg {number=6}{call=--remote-interface}{display=Remote interface}{type=string}
150 {required=true}{tooltip=The remote network interface used for capture}
151 arg {number=7}{call=--remote-filter}{display=Remote capture filter}{type=string}
152 {default=(null)}{tooltip=The remote capture filter}
153 arg {number=8}{call=--remote-count}{display=Packets to capture}{type=unsigned}{required=true}
154 {tooltip=The number of remote packets to capture.}
155
156 To capture:
157
158 ciscodump --extcap-interface cisco --fifo=/tmp/cisco.pcap --capture --remote-host 192.168.1.10
159 --remote-username user --remote-interface gigabit0/0
160 --remote-filter "permit ip host 192.168.1.1 any, permit ip any host 192.168.1.1"
161
162 NOTE: Packet count is mandatory, hence the capture will start after
163 this number.
164
166 The configuration of the capture on the routers is a multi-step
167 process. If the SSH connection is interrupted during it, the
168 configuration can be in an inconsistent state. That can happen also if
169 the capture is stopped and ciscodump can't clean the configuration up.
170 In this case it is necessary to log into the router and manually clean
171 the configuration, removing both the capture point
172 (WIRESHARK_CAPTURE_POINT), the capture buffer
173 (WIRESHARK_CAPTURE_BUFFER) and the capture filter
174 (WIRESHARK_CAPTURE_FILTER).
175
176 Another known issues is related to the number of captured packets
177 (--remote-count). Due to the nature of the capture buffer, ciscodump
178 waits for the capture to complete and then issues the command to show
179 it. It means that if the user specifies a number of packets above the
180 currently captured, the show command is never shown. Not only is the
181 count of the maximum number of captured packets, but it is also the
182 _exact_ number of expected packets.
183
185 wireshark(1), tshark(1), dumpcap(1), extcap(4), sshdump(1)
186
188 ciscodump is part of the Wireshark distribution. The latest version of
189 Wireshark can be found at <https://www.wireshark.org>.
190
191 HTML versions of the Wireshark project man pages are available at:
192 <https://www.wireshark.org/docs/man-pages>.
193
195 Original Author
196 -------- ------
197 Dario Lombardo <lomato[AT]gmail.com>
198
199
200
2013.4.5 2021-05-27 CISCODUMP(1)