nexmon – Rev 1
?pathlinks?
=head1 NAME
sshdump - Provide interfaces to capture from a remote host through SSH using a remote capture binary.
=head1 SYNOPSIS
B<sshdump>
S<[ B<--help> ]>
S<[ B<--version> ]>
S<[ B<--extcap-interfaces> ]>
S<[ B<--extcap-dlts> ]>
S<[ B<--extcap-interface>=E<lt>interfaceE<gt> ]>
S<[ B<--extcap-config> ]>
S<[ B<--extcap-capture-filter>=E<lt>capture filterE<gt> ]>
S<[ B<--capture> ]>
S<[ B<--fifo>=E<lt>path to file or pipeE<gt> ]>
S<[ B<--remote-host>=E<lt>IP addressE<gt> ]>
S<[ B<--remote-port>=E<lt>TCP portE<gt> ]>
S<[ B<--remote-username>=E<lt>usernameE<gt> ]>
S<[ B<--remote-password>=E<lt>passwordE<gt> ]>
S<[ B<--sshkey>=E<lt>public key path<gt> ]>
S<[ B<--remote-interface>=E<lt>interfaceE<gt> ]>
S<[ B<--remote-capture-bin>=E<lt>capture binaryE<gt> ]>
B<sshdump>
S<B<--extcap-interfaces>>
B<sshdump>
S<B<--extcap-interface>=E<lt>interfaceE<gt>>
S<B<--extcap-dlts>>
B<sshdump>
S<B<--extcap-interface>=E<lt>interfaceE<gt>>
S<B<--extcap-config>>
B<sshdump>
S<B<--extcap-interface>=E<lt>interfaceE<gt>>
S<B<--fifo>=E<lt>path to file or pipeE<gt>>
S<B<--capture>>
S<B<--remote-host=myremotehost>>
S<B<--remote-port=22>>
S<B<--remote-username=user>>
S<B<--remote-interface=eth2>>
S<B<--remote-capture-bin=/usr/sbin/dumpcap>>
=head1 DESCRIPTION
B<Sshdump> is a extcap tool that allows one to run a remote capture
tool in a SSH connection. The requirement is that the capture
executable must have the capabilities to capture from the wanted
interface.
The feature is functionally equivalent to run commands like
$ ssh remoteuser@remotehost -p 22222 'dumpcap -i IFACE -P -w -' > FILE &
$ wireshark FILE
$ ssh remoteuser@remotehost '/sbin/dumpcap -i IFACE -P -w - -f "not port 22"' > FILE &
$ wireshark FILE
Supported interfaces:
=over 4
=item 1. ssh
=back
=head1 OPTIONS
=over 4
=item --help
Print program arguments.
=item --version
Print program version.
=item --extcap-interfaces
List available interfaces.
=item --extcap-interface=E<lt>interfaceE<gt>
Use specified interfaces.
=item --extcap-dlts
List DLTs of specified interface.
=item --extcap-config
List configuration options of specified interface.
=item --capture
Start capturing from specified interface and write raw packet data to the location specified by --fifo.
=item --fifo=E<lt>path to file or pipeE<gt>
Save captured packet to file or send it through pipe.
=item --remote-host=E<lt>remote hostE<gt>
The address of the remote host for capture.
=item --remote-port=E<lt>remote portE<gt>
The SSH port of the remote host.
=item --remote-username=E<lt>usernameE<gt>
The username for ssh authentication.
=item --remote-password=E<lt>passwordE<gt>
The password to use (if not ssh-agent and pubkey are used). WARNING: the
passwords are stored in plaintext and visible to all users on this system. It is
recommended to use keyfiles with a SSH agent.
=item --sshkey=E<lt>SSH private key pathE<gt>
The path to a private key for authentication.
=item --remote-interface=E<lt>remote interfaceE<gt>
The remote network interface to capture from.
=item --remote-capture-bin=E<lt>capture binaryE<gt>
The remote capture binary.
=item --extcap-capture-filter=E<lt>capture filterE<gt>
The capture filter
=back
=head1 EXAMPLES
To see program arguments:
sshdump --help
To see program version:
sshdump --version
To see interfaces:
sshdump --extcap-interfaces
Only one interface (ssh) is supported.
Output:
interface {value=ssh}{display=SSH remote capture}
To see interface DLTs:
sshdump --extcap-interface=ssh --extcap-dlts
Output:
dlt {number=147}{name=ssh}{display=Remote capture dependent DLT}
To see interface configuration options:
sshdump --extcap-interface=ssh --extcap-config
Output:
arg {number=0}{call=--remote-host}{display=Remote SSH server address}{type=string}
{tooltip=The remote SSH host. It can be both an IP address or a hostname}{required=true}
arg {number=1}{call=--remote-port}{display=Remote SSH server port}{type=unsigned}
{default=22}{tooltip=The remote SSH host port (1-65535)}{range=1,65535}
arg {number=2}{call=--remote-username}{display=Remote SSH server username}{type=string}
{default=myusername}{tooltip=The remote SSH username. If not provided, the current user will be used}
arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=password}
{tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}
arg {number=4}{call=--sshkey}{display=Path to SSH private key}{type=fileselect}
{tooltip=The path on the local filesystem of the private ssh key}
arg {number=5}{call=--sshkey-passphrase}{display=SSH key passphrase}
{type=string}{tooltip=Passphrase to unlock the SSH private key}
arg {number=6}{call=--remote-interface}{display=Remote interface}{type=string}{default=eth0}
{tooltip=The remote network interface used for capture}
arg {number=7}{call=--remote-capture-bin}{display=Remote capture binary}{type=string}
{default=dumpcap}{tooltip=The remote dumpcap binary used for capture.}
arg {number=8}{call=--remote-filter}{display=Remote capture filter}{type=string}
{default=not ((host myip) and port 22)}{tooltip=The remote capture filter}
arg {number=9}{call=--remote-count}{display=Packets to capture}{type=unsigned}{default=0}
{tooltip=The number of remote packets to capture. (Default: unlimited)}
To capture:
sshdump --extcap-interface=ssh --fifo=/tmp/ssh.pcapng --capture --remote-host 192.168.1.10
--remote-username user --remote-filter "not port 22"
NOTE: To stop capturing CTRL+C/kill/terminate application.
=head1 SEE ALSO
wireshark(1), tshark(1), dumpcap(1), extcap(4)
=head1 NOTES
B<Sshdump> is part of the B<Wireshark> distribution. The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.
HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.
=head1 AUTHORS
Original Author
-------- ------
Dario Lombardo <lomato[AT]gmail.com>