1SSHDUMP(1)                                                          SSHDUMP(1)
2
3
4

NAME

6       sshdump - Provide interfaces to capture from a remote host through SSH
7       using a remote capture binary.
8

SYNOPSIS

10       sshdump [ --help ] [ --version ] [ --extcap-interfaces ]
11       [ --extcap-dlts ] [ --extcap-interface=<interface> ]
12       [ --extcap-config ] [ --extcap-capture-filter=<capture filter> ]
13       [ --capture ] [ --fifo=<path to file or pipe> ]
14       [ --remote-host=<IP address> ] [ --remote-port=<TCP port> ]
15       [ --remote-username=<username> ] [ --remote-password=<password> ]
16       [ --sshkey=<public key path> ] [ --remote-interface=<interface> ]
17       [ --remote-capture-command=<capture command> ] [ --remote-sudo ]
18
19       sshdump --extcap-interfaces
20
21       sshdump --extcap-interface=<interface> --extcap-dlts
22
23       sshdump --extcap-interface=<interface> --extcap-config
24
25       sshdump --extcap-interface=<interface> --fifo=<path to file or pipe>
26       --capture --remote-host=myremotehost --remote-port=22
27       --remote-username=user --remote-interface=eth2
28       --remote-capture-command='tcpdump -U -i eth0 -w-'
29

DESCRIPTION

31       Sshdump is an extcap tool that allows one to run a remote capture tool
32       over a SSH connection. The requirement is that the capture executable
33       must have the capabilities to capture from the wanted interface.
34
35       The feature is functionally equivalent to run commands like
36
37           $ ssh remoteuser@remotehost -p 22222 'tcpdump -U -i IFACE -w -' > FILE &
38           $ wireshark FILE
39
40           $ ssh remoteuser@remotehost '/sbin/dumpcap -i IFACE -P -w - -f "not port 22"' > FILE &
41           $ wireshark FILE
42
43           $ ssh somehost dumpcap -P -w - -f udp | tshark -i -
44
45       Typically sshdump is not invoked directly. Instead it can be configured
46       through the Wireshark graphical user interface or its command line. The
47       following will start Wireshark and start capturing from host
48       remotehost:
49
50           $ wireshark '-oextcap.sshdump.remotehost:"remotehost"' -i sshdump -k
51
52       To explicitly control the remote capture command:
53
54           $ wireshark '-oextcap.sshdump.remotehost:"remotehost"' \
55                       '-oextcap.sshdump.remotecapturecommand:"tcpdump -i eth0 -Uw- not port 22"' \
56                       -i sshdump -k
57
58       Supported interfaces:
59
60        1. ssh
61

OPTIONS

63       --help
64
65           Print program arguments.
66
67       --version
68
69           Print program version.
70
71       --extcap-interfaces
72
73           List available interfaces.
74
75       --extcap-interface=<interface>
76
77           Use specified interfaces.
78
79       --extcap-dlts
80
81           List DLTs of specified interface.
82
83       --extcap-config
84
85           List configuration options of specified interface.
86
87       --capture
88
89           Start capturing from specified interface and write raw packet data
90           to the location specified by --fifo.
91
92       --fifo=<path to file or pipe>
93
94           Save captured packet to file or send it through pipe.
95
96       --remote-host=<remote host>
97
98           The address of the remote host for capture.
99
100       --remote-port=<remote port>
101
102           The SSH port of the remote host.
103
104       --remote-username=<username>
105
106           The username for ssh authentication.
107
108       --remote-password=<password>
109
110           The password to use (if not ssh-agent and pubkey are used).
111           WARNING: the passwords are stored in plaintext and visible to all
112           users on this system. It is recommended to use keyfiles with a SSH
113           agent.
114
115       --sshkey=<SSH private key path>
116
117           The path to a private key for authentication.
118
119       --remote-interface=<remote interface>
120
121           The remote network interface to capture from.
122
123       --remote-capture-command=<capture command>
124
125           A custom remote capture command that produces the remote stream
126           that is shown in Wireshark. The command must be able to produce a
127           PCAP stream written to STDOUT. See below for more examples.
128
129           If using tcpdump, use the -w- option to ensure that packets are
130           written to standard output (stdout). Include the -U option to write
131           packets as soon as they are received.
132
133           When specified, this command will be used as is, options such as
134           the capture filter (--extcap-capture-filter) will not be appended.
135
136       --extcap-capture-filter=<capture filter>
137
138           The capture filter. It corresponds to the value provided via the
139           tshark -f option, and the Capture Filter field next to the
140           interfaces list in the Wireshark interface.
141

EXAMPLES

143       To see program arguments:
144
145           sshdump --help
146
147       To see program version:
148
149           sshdump --version
150
151       To see interfaces:
152
153           sshdump --extcap-interfaces
154
155       Only one interface (sshdump) is supported.
156
157       Example output
158
159           interface {value=sshdump}{display=SSH remote capture}
160
161       To see interface DLTs:
162
163           sshdump --extcap-interface=sshdump --extcap-dlts
164
165       Example output
166
167           dlt {number=147}{name=sshdump}{display=Remote capture dependent DLT}
168
169       To see interface configuration options:
170
171           sshdump --extcap-interface=sshdump --extcap-config
172
173       Example output
174
175           arg {number=0}{call=--remote-host}{display=Remote SSH server address}{type=string}
176               {tooltip=The remote SSH host. It can be both an IP address or a hostname}{required=true}{group=Server}
177           arg {number=1}{call=--remote-port}{display=Remote SSH server port}{type=unsigned}
178               {tooltip=The remote SSH host port (1-65535)}{range=1,65535}{group=Server}
179           arg {number=2}{call=--remote-username}{display=Remote SSH server username}{type=string}
180               {tooltip=The remote SSH username. If not provided, the current user will be used}{group=Authentication}
181           arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=password}
182               {tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}{group=Authentication}
183           arg {number=4}{call=--sshkey}{display=Path to SSH private key}{type=fileselect}
184               {tooltip=The path on the local filesystem of the private ssh key}{group=Authentication}
185           arg {number=5}{call=--sshkey-passphrase}{display=SSH key passphrase}{type=password}
186               {tooltip=Passphrase to unlock the SSH private key}{group=Authentication}
187           arg {number=6}{call=--proxycommand}{display=ProxyCommand}{type=string}
188               {tooltip=The command to use as proxy for the SSH connection}{group=Authentication}
189           arg {number=7}{call=--remote-interface}{display=Remote interface}{type=string}
190               {tooltip=The remote network interface used for capture}{group=Capture}
191           arg {number=8}{call=--remote-capture-command}{display=Remote capture command}{type=string}
192               {tooltip=The remote command used to capture}{group=Capture}
193           arg {number=9}{call=--remote-sudo}{display=Use sudo on the remote machine}{type=boolean}
194               {tooltip=Prepend the capture command with sudo on the remote machine}{group=Capture}
195           arg {number=10}{call=--remote-noprom}{display=No promiscuous mode}{type=boolflag}
196               {tooltip=Don't use promiscuous mode on the remote machine}{group=Capture}
197           arg {number=11}{call=--remote-filter}{display=Remote capture filter}{type=string}
198               {tooltip=The remote capture filter}{default=not ((host myhost) and port 22)}{group=Capture}
199           arg {number=12}{call=--remote-count}{display=Packets to capture}{type=unsigned}{default=0}
200               {tooltip=The number of remote packets to capture. (Default: inf)}{group=Capture}
201           arg {number=13}{call=--debug}{display=Run in debug mode}{type=boolflag}{default=false}
202               {tooltip=Print debug messages}{required=false}{group=Debug}
203           arg {number=14}{call=--debug-file}{display=Use a file for debug}{type=string}
204               {tooltip=Set a file where the debug messages are written}{required=false}{group=Debug}
205
206       To capture:
207
208           sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
209           --remote-username user --remote-filter "not port 22"
210
211       To use different capture binaries:
212
213           sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
214           --remote-capture-command='dumpcap -i eth0 -P -w -'
215
216           sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
217           --remote-capture-command='sudo tcpdump -i eth0 -U -w -'
218
219           Note
220           To stop capturing CTRL+C/kill/terminate application.
221
222       The sshdump binary can be renamed to support multiple instances. For
223       instance if we want sshdump to show up twice in wireshark (for instance
224       to handle multiple profiles), we can copy sshdump to sshdump-host1 and
225       sshdump-host2. Each binary will show up an interface name same as the
226       executable name. Those executables not being "sshdump" will show up as
227       "custom version" in the interface description.
228

SEE ALSO

230       wireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1)
231

NOTES

233       Sshdump is part of the Wireshark distribution. The latest version of
234       Wireshark can be found at https://www.wireshark.org.
235
236       HTML versions of the Wireshark project man pages are available at
237       https://www.wireshark.org/docs/man-pages.
238

AUTHORS

240       Original Author
241       Dario Lombardo <lomato[AT]gmail.com>
242
243
244
245                                  2022-02-16                        SSHDUMP(1)
Impressum