SSHDUMP(1) The Wireshark Network Analyzer SSHDUMP(1)NAME
sshdump - Provide interfaces to capture from a remote host through SSH
using a remote capture binary.
SYNOPSIS
sshdump [ --help ] [ --version ] [ --extcap-interfaces ]
[ --extcap-dlts ] [ --extcap-interface=<interface> ]
[ --extcap-config ] [ --extcap-capture-filter=<capture filter> ]
[ --capture ] [ --fifo=<path to file or pipe> ]
[ --remote-host=<IP address> ] [ --remote-port=<TCP port> ]
[ --remote-username=<username> ] [ --remote-password=<password> ]
[ --sshkey=<public key path<gt ]> [ --remote-interface=<interface> ]
[ --remote-capture-command=<capture command> ]
sshdump --extcap-interfaces
sshdump --extcap-interface=<interface> --extcap-dlts
sshdump --extcap-interface=<interface> --extcap-config
sshdump --extcap-interface=<interface> --fifo=<path to file or pipe>
--capture --remote-host=myremotehost --remote-port=22
--remote-username=user --remote-interface=eth2
--remote-capture-command='tcpdump -U -i eth0 -w-'
DESCRIPTION
Sshdump is a extcap tool that allows one to run a remote capture tool
in a SSH connection. The requirement is that the capture executable
must have the capabilities to capture from the wanted interface.
The feature is functionally equivalent to run commands like
$ ssh remoteuser@remotehost -p 22222 'tcpdump -U -i IFACE -w -' > FILE
& $ wireshark FILE
$ ssh remoteuser@remotehost '/sbin/dumpcap -i IFACE -P -w - -f "not
port 22"' > FILE & $ wireshark FILE
Supported interfaces:
1. ssh
OPTIONS--help
Print program arguments.
--version
Print program version.
--extcap-interfaces
List available interfaces.
--extcap-interface=<interface>
Use specified interfaces.
--extcap-dlts
List DLTs of specified interface.
--extcap-config
List configuration options of specified interface.
--capture
Start capturing from specified interface and write raw packet data
to the location specified by --fifo.
--fifo=<path to file or pipe>
Save captured packet to file or send it through pipe.
--remote-host=<remote host>
The address of the remote host for capture.
--remote-port=<remote port>
The SSH port of the remote host.
--remote-username=<username>
The username for ssh authentication.
--remote-password=<password>
The password to use (if not ssh-agent and pubkey are used).
WARNING: the passwords are stored in plaintext and visible to all
users on this system. It is recommended to use keyfiles with a SSH
agent.
--sshkey=<SSH private key path>
The path to a private key for authentication.
--remote-interface=<remote interface>
The remote network interface to capture from.
--remote-capture-command=<capture command>
A custom remote capture command that produces the remote stream
that is shown in Wireshark. The command must be able to produce a
PCAP stream written to STDOUT. See below for more examples.
--extcap-capture-filter=<capture filter>
The capture filter
EXAMPLES
To see program arguments:
sshdump --help
To see program version:
sshdump --version
To see interfaces:
sshdump --extcap-interfaces
Only one interface (ssh) is supported.
Output:
interface {value=ssh}{display=SSH remote capture}
To see interface DLTs:
sshdump --extcap-interface=ssh --extcap-dlts
Output:
dlt {number=147}{name=ssh}{display=Remote capture dependent DLT}
To see interface configuration options:
sshdump --extcap-interface=ssh --extcap-config
Output:
arg {number=0}{call=--remote-host}{display=Remote SSH server address}{type=string}
{tooltip=The remote SSH host. It can be both an IP address or a hostname}{required=true}
arg {number=1}{call=--remote-port}{display=Remote SSH server port}{type=unsigned}
{default=22}{tooltip=The remote SSH host port (1-65535)}{range=1,65535}
arg {number=2}{call=--remote-username}{display=Remote SSH server username}{type=string}
{default=myusername}{tooltip=The remote SSH username. If not provided, the current user will be used}
arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=password}
{tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}
arg {number=4}{call=--sshkey}{display=Path to SSH private key}{type=fileselect}
{tooltip=The path on the local filesystem of the private ssh key}
arg {number=5}{call=--sshkey-passphrase}{display=SSH key passphrase}
{type=string}{tooltip=Passphrase to unlock the SSH private key}
arg {number=6}{call=--remote-interface}{display=Remote interface}{type=string}{default=eth0}
{tooltip=The remote network interface used for capture}
arg {number=7}{call=--remote-capture-command}{display=Remote capture command}{type=string}
{tooltip=The remote command used to capture.}
arg {number=8}{call=--remote-filter}{display=Remote capture filter}{type=string}
{default=not ((host myip) and port 22)}{tooltip=The remote capture filter}
arg {number=9}{call=--remote-count}{display=Packets to capture}{type=unsigned}{default=0}
{tooltip=The number of remote packets to capture. (Default: unlimited)}
To capture:
sshdump --extcap-interface=ssh --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
--remote-username user --remote-filter "not port 22"
To use different capture binaries:
sshdump --extcap-interface=ssh --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
--remote-capture-command='dumpcap -i eth0 -P -w -'
sshdump --extcap-interface=ssh --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
--remote-capture-command='sudo tcpdump -i eth0 -U -w -'
NOTE: To stop capturing CTRL+C/kill/terminate application.
SEE ALSOwireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1)NOTES
Sshdump is part of the Wireshark distribution. The latest version of
Wireshark can be found at <https://www.wireshark.org>.
HTML versions of the Wireshark project man pages are available at:
<https://www.wireshark.org/docs/man-pages>.
AUTHORS
Original Author
-------- ------
Dario Lombardo <lomato[AT]gmail.com>
2.4.3 2017-12-03 SSHDUMP(1)