1SSHDUMP(1) SSHDUMP(1)
2
6 sshdump - Provide interfaces to capture from a remote host through SSH
7 using a remote capture binary.
8
10 sshdump [ --help ] [ --version ] [ --extcap-interfaces ]
11 [ --extcap-dlts ] [ --extcap-interface=<interface> ]
12 [ --extcap-config ] [ --extcap-capture-filter=<capture filter> ]
13 [ --capture ] [ --fifo=<path to file or pipe> ]
14 [ --remote-host=<IP address> ] [ --remote-port=<TCP port> ]
15 [ --remote-username=<username> ] [ --remote-password=<password> ]
16 [ --sshkey=<public key path> ] [ --remote-interface=<interface> ]
17 [ --remote-capture-command=<capture command> ] [ --remote-sudo ]
18 sshdump --extcap-interfaces
20 sshdump --extcap-interface=<interface> --extcap-dlts
22 sshdump --extcap-interface=<interface> --extcap-config
24 sshdump --extcap-interface=<interface> --fifo=<path to file or pipe>
26 --capture --remote-host=myremotehost --remote-port=22
27 --remote-username=user --remote-interface=eth2
28 --remote-capture-command='tcpdump -U -i eth0 -w-'
29
31 Sshdump is an extcap tool that allows one to run a remote capture tool
32 over a SSH connection. The requirement is that the capture executable
33 must have the capabilities to capture from the wanted interface.
34 The feature is functionally equivalent to run commands like
36 $ ssh remoteuser@remotehost -p 22222 'tcpdump -U -i IFACE -w -' > FILE &
38 $ wireshark FILE
39 $ ssh remoteuser@remotehost '/sbin/dumpcap -i IFACE -P -w - -f "not port 22"' > FILE &
41 $ wireshark FILE
42 $ ssh somehost dumpcap -P -w - -f udp | tshark -i -
44 Typically sshdump is not invoked directly. Instead it can be configured
46 through the Wireshark graphical user interface or its command line. The
47 following will start Wireshark and start capturing from host
48 remotehost:
49 $ wireshark '-oextcap.sshdump.remotehost:"remotehost"' -i sshdump -k
51 To explicitly control the remote capture command:
53 $ wireshark '-oextcap.sshdump.remotehost:"remotehost"' \
55 '-oextcap.sshdump.remotecapturecommand:"tcpdump -i eth0 -Uw- not port 22"' \
56 -i sshdump -k
57 Supported interfaces:
59 1. ssh
61
63 --help
64 Print program arguments.
66 --version
68 Print program version.
70 --extcap-interfaces
72 List available interfaces.
74 --extcap-interface=<interface>
76 Use specified interfaces.
78 --extcap-dlts
80 List DLTs of specified interface.
82 --extcap-config
84 List configuration options of specified interface.
86 --capture
88 Start capturing from specified interface and write raw packet data
90 to the location specified by --fifo.
91 --fifo=<path to file or pipe>
93 Save captured packet to file or send it through pipe.
95 --remote-host=<remote host>
97 The address of the remote host for capture.
99 --remote-port=<remote port>
101 The SSH port of the remote host.
103 --remote-username=<username>
105 The username for ssh authentication.
107 --remote-password=<password>
109 The password to use (if not ssh-agent and pubkey are used).
111 WARNING: the passwords are stored in plaintext and visible to all
112 users on this system. It is recommended to use keyfiles with a SSH
113 agent.
114 --sshkey=<SSH private key path>
116 The path to a private key for authentication.
118 --remote-interface=<remote interface>
120 The remote network interface to capture from.
122 --remote-capture-command=<capture command>
124 A custom remote capture command that produces the remote stream
126 that is shown in Wireshark. The command must be able to produce a
127 PCAP stream written to STDOUT. See below for more examples.
128 If using tcpdump, use the -w- option to ensure that packets are
130 written to standard output (stdout). Include the -U option to write
131 packets as soon as they are received.
132 When specified, this command will be used as is, options such as
134 the capture filter (--extcap-capture-filter) will not be appended.
135 --extcap-capture-filter=<capture filter>
137 The capture filter. It corresponds to the value provided via the
139 tshark -f option, and the Capture Filter field next to the
140 interfaces list in the Wireshark interface.
141
143 To see program arguments:
144 sshdump --help
146 To see program version:
148 sshdump --version
150 To see interfaces:
152 sshdump --extcap-interfaces
154 Only one interface (sshdump) is supported.
156 Example output
158 interface {value=sshdump}{display=SSH remote capture}
160 To see interface DLTs:
162 sshdump --extcap-interface=sshdump --extcap-dlts
164 Example output
166 dlt {number=147}{name=sshdump}{display=Remote capture dependent DLT}
168 To see interface configuration options:
170 sshdump --extcap-interface=sshdump --extcap-config
172 Example output
174 arg {number=0}{call=--remote-host}{display=Remote SSH server address}{type=string}
176 {tooltip=The remote SSH host. It can be both an IP address or a hostname}{required=true}{group=Server}
177 arg {number=1}{call=--remote-port}{display=Remote SSH server port}{type=unsigned}
178 {tooltip=The remote SSH host port (1-65535)}{range=1,65535}{group=Server}
179 arg {number=2}{call=--remote-username}{display=Remote SSH server username}{type=string}
180 {tooltip=The remote SSH username. If not provided, the current user will be used}{group=Authentication}
181 arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=password}
182 {tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}{group=Authentication}
183 arg {number=4}{call=--sshkey}{display=Path to SSH private key}{type=fileselect}
184 {tooltip=The path on the local filesystem of the private ssh key}{group=Authentication}
185 arg {number=5}{call=--sshkey-passphrase}{display=SSH key passphrase}{type=password}
186 {tooltip=Passphrase to unlock the SSH private key}{group=Authentication}
187 arg {number=6}{call=--proxycommand}{display=ProxyCommand}{type=string}
188 {tooltip=The command to use as proxy for the SSH connection}{group=Authentication}
189 arg {number=7}{call=--remote-interface}{display=Remote interface}{type=string}
190 {tooltip=The remote network interface used for capture}{group=Capture}
191 arg {number=8}{call=--remote-capture-command}{display=Remote capture command}{type=string}
192 {tooltip=The remote command used to capture}{group=Capture}
193 arg {number=9}{call=--remote-sudo}{display=Use sudo on the remote machine}{type=boolean}
194 {tooltip=Prepend the capture command with sudo on the remote machine}{group=Capture}
195 arg {number=10}{call=--remote-noprom}{display=No promiscuous mode}{type=boolflag}
196 {tooltip=Don't use promiscuous mode on the remote machine}{group=Capture}
197 arg {number=11}{call=--remote-filter}{display=Remote capture filter}{type=string}
198 {tooltip=The remote capture filter}{default=not ((host myhost) and port 22)}{group=Capture}
199 arg {number=12}{call=--remote-count}{display=Packets to capture}{type=unsigned}{default=0}
200 {tooltip=The number of remote packets to capture. (Default: inf)}{group=Capture}
201 arg {number=13}{call=--debug}{display=Run in debug mode}{type=boolflag}{default=false}
202 {tooltip=Print debug messages}{required=false}{group=Debug}
203 arg {number=14}{call=--debug-file}{display=Use a file for debug}{type=string}
204 {tooltip=Set a file where the debug messages are written}{required=false}{group=Debug}
205 To capture:
207 sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
209 --remote-username user --remote-filter "not port 22"
210 To use different capture binaries:
212 sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
214 --remote-capture-command='dumpcap -i eth0 -P -w -'
215 sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
217 --remote-capture-command='sudo tcpdump -i eth0 -U -w -'
218 Note
220 To stop capturing CTRL+C/kill/terminate application.
221 The sshdump binary can be renamed to support multiple instances. For
223 instance if we want sshdump to show up twice in wireshark (for instance
224 to handle multiple profiles), we can copy sshdump to sshdump-host1 and
225 sshdump-host2. Each binary will show up an interface name same as the
226 executable name. Those executables not being "sshdump" will show up as
227 "custom version" in the interface description.
228
230 wireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1)
231
233 Sshdump is part of the Wireshark distribution. The latest version of
234 Wireshark can be found at https://www.wireshark.org.
235 HTML versions of the Wireshark project man pages are available at
237 https://www.wireshark.org/docs/man-pages.
238
240 Original Author
241 Dario Lombardo <lomato[AT]gmail.com>
242 2021-11-25 SSHDUMP(1)