1CISCODUMP(1)            The Wireshark Network Analyzer            CISCODUMP(1)
2
3
4

NAME

6       ciscodump - Provide interfaces to capture from a remote Cisco router
7       through SSH.
8

SYNOPSIS

10       ciscodump [ --help ] [ --version ] [ --extcap-interfaces ]
11       [ --extcap-dlts ] [ --extcap-interface=<interface> ]
12       [ --extcap-config ] [ --extcap-capture-filter=<capture filter> ]
13       [ --capture ] [ --fifo=<path to file or pipe> ]
14       [ --remote-host=<IP address> ] [ --remote-port=<TCP port> ]
15       [ --remote-username=<username> ] [ --remote-password=<password> ]
16       [ --remote-filter=<filter<gt ]> [ --sshkey=<public key path<gt ]>
17       [ --remote-interface=<interface> ]
18
19       ciscodump --extcap-interfaces
20
21       ciscodump --extcap-interface=<interface> --extcap-dlts
22
23       ciscodump --extcap-interface=<interface> --extcap-config
24
25       ciscodump --extcap-interface=<interface> --fifo=<path to file or pipe>
26       --capture --remote-host=remoterouter --remote-port=22
27       --remote-username=user --remote-interface=<the router interface>
28

DESCRIPTION

30       Ciscodump is an extcap tool that relies on Cisco EPC to allow a user to
31       run a remote capture on a Cisco router in a SSH connection. The minimum
32       IOS version supporting this feature is 12.4(20)T. More details can be
33       found here:
34       https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-embedded-packet-capture/datasheet_c78-502727.html
35
36       Supported interfaces:
37
38       1. cisco
39

OPTIONS

41       --help
42           Print program arguments.
43
44       --version
45           Print program version.
46
47       --extcap-interfaces
48           List available interfaces.
49
50       --extcap-interface=<interface>
51           Use specified interfaces.
52
53       --extcap-dlts
54           List DLTs of specified interface.
55
56       --extcap-config
57           List configuration options of specified interface.
58
59       --capture
60           Start capturing from specified interface and save it in place
61           specified by --fifo.
62
63       --fifo=<path to file or pipe>
64           Save captured packet to file or send it through pipe.
65
66       --remote-host=<remote host>
67           The address of the remote host for capture.
68
69       --remote-port=<remote port>
70           The SSH port of the remote host.
71
72       --remote-username=<username>
73           The username for ssh authentication.
74
75       --remote-password=<password>
76           The password to use (if not ssh-agent and pubkey are used).
77           WARNING: the passwords are stored in plaintext and visible to all
78           users on this system. It is recommended to use keyfiles with a SSH
79           agent.
80
81       --remote-filter=<filter>
82           The remote filter on the router. This is a capture filter that
83           follows the Cisco IOS standards
84           (https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html).
85           Multiple filters can be specified using a comma between them.
86           BEWARE: when using a filter, the default behavior is to drop all
87           the packets except the ones that fall into the filter.
88
89           Examples:
90
91               permit ip host MYHOST any, permit ip any host MYHOST (capture the traffic for MYHOST)
92
93               deny ip host MYHOST any, deny ip any host MYHOST, permit ip any any (capture all the traffic except MYHOST)
94
95       --sshkey=<SSH private key path>
96           The path to a private key for authentication.
97
98       --remote-interface=<remote interface>
99           The remote network interface to capture from.
100
101       --extcap-capture-filter=<capture filter>
102           Unused (compatibility only).
103

EXAMPLES

105       To see program arguments:
106
107           ciscodump --help
108
109       To see program version:
110
111           ciscodump --version
112
113       To see interfaces:
114
115           ciscodump --extcap-interfaces
116
117       Only one interface (cisco) is supported.
118
119         Output:
120           interface {value=cisco}{display=SSH remote capture}
121
122       To see interface DLTs:
123
124           ciscodump --extcap-interface=cisco --extcap-dlts
125
126         Output:
127           dlt {number=147}{name=cisco}{display=Remote capture dependent DLT}
128
129       To see interface configuration options:
130
131           ciscodump --extcap-interface=cisco --extcap-config
132
133         Output:
134           ciscodump --extcap-interface=cisco --extcap-config
135           arg {number=0}{call=--remote-host}{display=Remote SSH server address}
136               {type=string}{tooltip=The remote SSH host. It can be both an IP address or a hostname}
137               {required=true}
138           arg {number=1}{call=--remote-port}{display=Remote SSH server port}{type=unsigned}
139               {default=22}{tooltip=The remote SSH host port (1-65535)}{range=1,65535}
140           arg {number=2}{call=--remote-username}{display=Remote SSH server username}{type=string}
141               {default=<current user>}{tooltip=The remote SSH username. If not provided, the current
142               user will be used}
143           arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=string}
144               {tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}
145           arg {number=4}{call=--sshkey}{display=Path to SSH private key}{type=fileselect}
146               {tooltip=The path on the local filesystem of the private ssh key}
147           arg {number=5}{call--sshkey-passphrase}{display=SSH key passphrase}
148               {type=string}{tooltip=Passphrase to unlock the SSH private key}
149           arg {number=6}{call=--remote-interface}{display=Remote interface}{type=string}
150               {required=true}{tooltip=The remote network interface used for capture}
151           arg {number=7}{call=--remote-filter}{display=Remote capture filter}{type=string}
152               {default=(null)}{tooltip=The remote capture filter}
153           arg {number=8}{call=--remote-count}{display=Packets to capture}{type=unsigned}{required=true}
154               {tooltip=The number of remote packets to capture.}
155
156       To capture:
157
158           ciscodump --extcap-interface cisco --fifo=/tmp/cisco.pcap --capture --remote-host 192.168.1.10
159               --remote-username user --remote-interface gigabit0/0
160               --remote-filter "permit ip host 192.168.1.1 any, permit ip any host 192.168.1.1"
161
162       NOTE: Packet count is mandatory, hence the capture will start after
163       this number.
164

KNOWN ISSUES

166       The configuration of the capture on the routers is a multi-step
167       process. If the SSH connection is interrupted during it, the
168       configuration can be in an inconsistent state. That can happen also if
169       the capture is stopped and ciscodump can't clean the configuration up.
170       In this case it is necessary to log into the router and manually clean
171       the configuration, removing both the capture point
172       (WIRESHARK_CAPTURE_POINT), the capture buffer
173       (WIRESHARK_CAPTURE_BUFFER) and the capture filter
174       (WIRESHARK_CAPTURE_FILTER).
175
176       Another known issues is related to the number of captured packets
177       (--remote-count). Due to the nature of the capture buffer, ciscodump
178       waits for the capture to complete and then issues the command to show
179       it. It means that if the user specifies a number of packets above the
180       currently captured, the show command is never shown. Not only is the
181       count of the maximum number of captured packets, but it is also the
182       _exact_ number of expected packets.
183

SEE ALSO

185       wireshark(1), tshark(1), dumpcap(1), extcap(4), sshdump(1)
186

NOTES

188       ciscodump is part of the Wireshark distribution.  The latest version of
189       Wireshark can be found at <https://www.wireshark.org>.
190
191       HTML versions of the Wireshark project man pages are available at:
192       <https://www.wireshark.org/docs/man-pages>.
193

AUTHORS

195         Original Author
196         -------- ------
197         Dario Lombardo             <lomato[AT]gmail.com>
198
199
200
2013.4.5                             2021-05-27                      CISCODUMP(1)
Impressum