=head1 NAME sshdump - Provide interfaces to capture from a remote host through SSH using a remote capture binary. =head1 SYNOPSIS B S<[ B<--help> ]> S<[ B<--version> ]> S<[ B<--extcap-interfaces> ]> S<[ B<--extcap-dlts> ]> S<[ B<--extcap-interface>=EinterfaceE ]> S<[ B<--extcap-config> ]> S<[ B<--extcap-capture-filter>=Ecapture filterE ]> S<[ B<--capture> ]> S<[ B<--fifo>=Epath to file or pipeE ]> S<[ B<--remote-host>=EIP addressE ]> S<[ B<--remote-port>=ETCP portE ]> S<[ B<--remote-username>=EusernameE ]> S<[ B<--remote-password>=EpasswordE ]> S<[ B<--sshkey>=Epublic key path ]> S<[ B<--remote-interface>=EinterfaceE ]> S<[ B<--remote-capture-command>=Ecapture commandE ]> B S> B S=EinterfaceE> S> B S=EinterfaceE> S> B S=EinterfaceE> S=Epath to file or pipeE> S> S> S> S> S> S> =head1 DESCRIPTION B is a extcap tool that allows one to run a remote capture tool in a SSH connection. The requirement is that the capture executable must have the capabilities to capture from the wanted interface. The feature is functionally equivalent to run commands like $ ssh remoteuser@remotehost -p 22222 'tcpdump -U -i IFACE -w -' > FILE & $ wireshark FILE $ ssh remoteuser@remotehost '/sbin/dumpcap -i IFACE -P -w - -f "not port 22"' > FILE & $ wireshark FILE Supported interfaces: =over 4 =item 1. ssh =back =head1 OPTIONS =over 4 =item --help Print program arguments. =item --version Print program version. =item --extcap-interfaces List available interfaces. =item --extcap-interface=EinterfaceE Use specified interfaces. =item --extcap-dlts List DLTs of specified interface. =item --extcap-config List configuration options of specified interface. =item --capture Start capturing from specified interface and write raw packet data to the location specified by --fifo. =item --fifo=Epath to file or pipeE Save captured packet to file or send it through pipe. =item --remote-host=Eremote hostE The address of the remote host for capture. =item --remote-port=Eremote portE The SSH port of the remote host. =item --remote-username=EusernameE The username for ssh authentication. =item --remote-password=EpasswordE The password to use (if not ssh-agent and pubkey are used). WARNING: the passwords are stored in plaintext and visible to all users on this system. It is recommended to use keyfiles with a SSH agent. =item --sshkey=ESSH private key pathE The path to a private key for authentication. =item --remote-interface=Eremote interfaceE The remote network interface to capture from. =item --remote-capture-command=Ecapture commandE A custom remote capture command that produces the remote stream that is shown in Wireshark. The command must be able to produce a PCAP stream written to STDOUT. See below for more examples. =item --extcap-capture-filter=Ecapture filterE The capture filter =back =head1 EXAMPLES To see program arguments: sshdump --help To see program version: sshdump --version To see interfaces: sshdump --extcap-interfaces Only one interface (ssh) is supported. Output: interface {value=ssh}{display=SSH remote capture} To see interface DLTs: sshdump --extcap-interface=ssh --extcap-dlts Output: dlt {number=147}{name=ssh}{display=Remote capture dependent DLT} To see interface configuration options: sshdump --extcap-interface=ssh --extcap-config Output: arg {number=0}{call=--remote-host}{display=Remote SSH server address}{type=string} {tooltip=The remote SSH host. It can be both an IP address or a hostname}{required=true} arg {number=1}{call=--remote-port}{display=Remote SSH server port}{type=unsigned} {default=22}{tooltip=The remote SSH host port (1-65535)}{range=1,65535} arg {number=2}{call=--remote-username}{display=Remote SSH server username}{type=string} {default=myusername}{tooltip=The remote SSH username. If not provided, the current user will be used} arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=password} {tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.} arg {number=4}{call=--sshkey}{display=Path to SSH private key}{type=fileselect} {tooltip=The path on the local filesystem of the private ssh key} arg {number=5}{call=--sshkey-passphrase}{display=SSH key passphrase} {type=string}{tooltip=Passphrase to unlock the SSH private key} arg {number=6}{call=--remote-interface}{display=Remote interface}{type=string}{default=eth0} {tooltip=The remote network interface used for capture} arg {number=7}{call=--remote-capture-command}{display=Remote capture command}{type=string} {tooltip=The remote command used to capture.} arg {number=8}{call=--remote-filter}{display=Remote capture filter}{type=string} {default=not ((host myip) and port 22)}{tooltip=The remote capture filter} arg {number=9}{call=--remote-count}{display=Packets to capture}{type=unsigned}{default=0} {tooltip=The number of remote packets to capture. (Default: unlimited)} To capture: sshdump --extcap-interface=ssh --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10 --remote-username user --remote-filter "not port 22" To use different capture binaries: sshdump --extcap-interface=ssh --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10 --remote-capture-command='dumpcap -i eth0 -P -w -' sshdump --extcap-interface=ssh --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10 --remote-capture-command='sudo tcpdump -i eth0 -U -w -' NOTE: To stop capturing CTRL+C/kill/terminate application. =head1 SEE ALSO wireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1) =head1 NOTES B is part of the B distribution. The latest version of B can be found at L. HTML versions of the Wireshark project man pages are available at: L. =head1 AUTHORS Original Author -------- ------ Dario Lombardo