diff options
Diffstat (limited to 'doc/sshdump.adoc')
-rw-r--r-- | doc/sshdump.adoc | 272 |
1 files changed, 272 insertions, 0 deletions
diff --git a/doc/sshdump.adoc b/doc/sshdump.adoc new file mode 100644 index 0000000000..4de0678336 --- /dev/null +++ b/doc/sshdump.adoc @@ -0,0 +1,272 @@ +=begin man + +=encoding utf8 + +=end man + +=head1 NAME + +sshdump - Provide interfaces to capture from a remote host through SSH using a remote capture binary. + +=head1 SYNOPSIS + +B<sshdump> +S<[ B<--help> ]> +S<[ B<--version> ]> +S<[ B<--extcap-interfaces> ]> +S<[ B<--extcap-dlts> ]> +S<[ B<--extcap-interface>=E<lt>interfaceE<gt> ]> +S<[ B<--extcap-config> ]> +S<[ B<--extcap-capture-filter>=E<lt>capture filterE<gt> ]> +S<[ B<--capture> ]> +S<[ B<--fifo>=E<lt>path to file or pipeE<gt> ]> +S<[ B<--remote-host>=E<lt>IP addressE<gt> ]> +S<[ B<--remote-port>=E<lt>TCP portE<gt> ]> +S<[ B<--remote-username>=E<lt>usernameE<gt> ]> +S<[ B<--remote-password>=E<lt>passwordE<gt> ]> +S<[ B<--sshkey>=E<lt>public key pathE<gt> ]> +S<[ B<--remote-interface>=E<lt>interfaceE<gt> ]> +S<[ B<--remote-capture-command>=E<lt>capture commandE<gt> ]> +S<[ B<--remote-sudo> ]> + +B<sshdump> +S<B<--extcap-interfaces>> + +B<sshdump> +S<B<--extcap-interface>=E<lt>interfaceE<gt>> +S<B<--extcap-dlts>> + +B<sshdump> +S<B<--extcap-interface>=E<lt>interfaceE<gt>> +S<B<--extcap-config>> + +B<sshdump> +S<B<--extcap-interface>=E<lt>interfaceE<gt>> +S<B<--fifo>=E<lt>path to file or pipeE<gt>> +S<B<--capture>> +S<B<--remote-host=myremotehost>> +S<B<--remote-port=22>> +S<B<--remote-username=user>> +S<B<--remote-interface=eth2>> +S<B<--remote-capture-command='tcpdump -U -i eth0 -w-'>> + +=head1 DESCRIPTION + +B<Sshdump> is an extcap tool that allows one to run a remote capture +tool over a SSH connection. The requirement is that the capture +executable must have the capabilities to capture from the wanted +interface. + +The feature is functionally equivalent to run commands like + + $ ssh remoteuser@remotehost -p 22222 'tcpdump -U -i IFACE -w -' > FILE & + $ wireshark FILE + + $ ssh remoteuser@remotehost '/sbin/dumpcap -i IFACE -P -w - -f "not port 22"' > FILE & + $ wireshark FILE + + $ ssh somehost dumpcap -P -w - -f udp | tshark -i - + +Typically sshdump is not invoked directly. Instead it can be configured through +the Wireshark graphical user interface or its command line. The following will +start Wireshark and start capturing from host B<remotehost>: + + $ wireshark '-oextcap.sshdump.remotehost:"remotehost"' -i sshdump -k + +To explicitly control the remote capture command: + + $ wireshark '-oextcap.sshdump.remotehost:"remotehost"' \ + '-oextcap.sshdump.remotecapturecommand:"tcpdump -i eth0 -Uw- not port 22"' \ + -i sshdump -k + +Supported interfaces: + +=over 4 + +=item 1. ssh + +=back + +=head1 OPTIONS + +=over 4 + +=item --help + +Print program arguments. + +=item --version + +Print program version. + +=item --extcap-interfaces + +List available interfaces. + +=item --extcap-interface=E<lt>interfaceE<gt> + +Use specified interfaces. + +=item --extcap-dlts + +List DLTs of specified interface. + +=item --extcap-config + +List configuration options of specified interface. + +=item --capture + +Start capturing from specified interface and write raw packet data to the location specified by --fifo. + +=item --fifo=E<lt>path to file or pipeE<gt> + +Save captured packet to file or send it through pipe. + +=item --remote-host=E<lt>remote hostE<gt> + +The address of the remote host for capture. + +=item --remote-port=E<lt>remote portE<gt> + +The SSH port of the remote host. + +=item --remote-username=E<lt>usernameE<gt> + +The username for ssh authentication. + +=item --remote-password=E<lt>passwordE<gt> + +The password to use (if not ssh-agent and pubkey are used). WARNING: the +passwords are stored in plaintext and visible to all users on this system. It is +recommended to use keyfiles with a SSH agent. + +=item --sshkey=E<lt>SSH private key pathE<gt> + +The path to a private key for authentication. + +=item --remote-interface=E<lt>remote interfaceE<gt> + +The remote network interface to capture from. + +=item --remote-capture-command=E<lt>capture commandE<gt> + +A custom remote capture command that produces the remote stream that is shown in Wireshark. +The command must be able to produce a PCAP stream written to STDOUT. See below for more +examples. + +If using tcpdump, use the B<-w-> option to ensure that packets are written to +standard output (stdout). Include the B<-U> option to write packets as soon as +they are received. + +When specified, this command will be used as is, options such as the capture +filter (B<--extcap-capture-filter>) will not be appended. + +=item --extcap-capture-filter=E<lt>capture filterE<gt> + +The capture filter. It corresponds to the value provided via the B<tshark -f> +option, and the Capture Filter field next to the interfaces list in the +Wireshark interface. + +=back + +=head1 EXAMPLES + +To see program arguments: + + sshdump --help + +To see program version: + + sshdump --version + +To see interfaces: + + sshdump --extcap-interfaces + +Only one interface (sshdump) is supported. + + Output: + interface {value=sshdump}{display=SSH remote capture} + +To see interface DLTs: + + sshdump --extcap-interface=sshdump --extcap-dlts + + Output: + dlt {number=147}{name=sshdump}{display=Remote capture dependent DLT} + +To see interface configuration options: + + sshdump --extcap-interface=sshdump --extcap-config + + Output: + + arg {number=0}{call=--remote-host}{display=Remote SSH server address}{type=string} + {tooltip=The remote SSH host. It can be both an IP address or a hostname}{required=true}{group=Server} + arg {number=1}{call=--remote-port}{display=Remote SSH server port}{type=unsigned} + {tooltip=The remote SSH host port (1-65535)}{range=1,65535}{group=Server} + arg {number=2}{call=--remote-username}{display=Remote SSH server username}{type=string} + {tooltip=The remote SSH username. If not provided, the current user will be used}{group=Authentication} + arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=password} + {tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}{group=Authentication} + arg {number=4}{call=--sshkey}{display=Path to SSH private key}{type=fileselect} + {tooltip=The path on the local filesystem of the private ssh key}{group=Authentication} + arg {number=5}{call=--sshkey-passphrase}{display=SSH key passphrase}{type=password} + {tooltip=Passphrase to unlock the SSH private key}{group=Authentication} + arg {number=6}{call=--proxycommand}{display=ProxyCommand}{type=string} + {tooltip=The command to use as proxy for the SSH connection}{group=Authentication} + arg {number=7}{call=--remote-interface}{display=Remote interface}{type=string} + {tooltip=The remote network interface used for capture}{group=Capture} + arg {number=8}{call=--remote-capture-command}{display=Remote capture command}{type=string} + {tooltip=The remote command used to capture}{group=Capture} + arg {number=9}{call=--remote-sudo}{display=Use sudo on the remote machine}{type=boolean} + {tooltip=Prepend the capture command with sudo on the remote machine}{group=Capture} + arg {number=10}{call=--remote-noprom}{display=No promiscuous mode}{type=boolflag} + {tooltip=Don't use promiscuous mode on the remote machine}{group=Capture} + arg {number=11}{call=--remote-filter}{display=Remote capture filter}{type=string} + {tooltip=The remote capture filter}{default=not ((host myhost) and port 22)}{group=Capture} + arg {number=12}{call=--remote-count}{display=Packets to capture}{type=unsigned}{default=0} + {tooltip=The number of remote packets to capture. (Default: inf)}{group=Capture} + arg {number=13}{call=--debug}{display=Run in debug mode}{type=boolflag}{default=false} + {tooltip=Print debug messages}{required=false}{group=Debug} + arg {number=14}{call=--debug-file}{display=Use a file for debug}{type=string} + {tooltip=Set a file where the debug messages are written}{required=false}{group=Debug} + +To capture: + + sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10 + --remote-username user --remote-filter "not port 22" + +To use different capture binaries: + + sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10 + --remote-capture-command='dumpcap -i eth0 -P -w -' + + sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10 + --remote-capture-command='sudo tcpdump -i eth0 -U -w -' + +NOTE: To stop capturing CTRL+C/kill/terminate application. + +The sshdump binary can be renamed to support multiple instances. For instance if we want sshdump +to show up twice in wireshark (for instance to handle multiple profiles), we can copy sshdump to +sshdump-host1 and sshdump-host2. Each binary will show up an interface name same as the executable +name. Those executables not being "sshdump" will show up as "custom version" in the interface description. + +=head1 SEE ALSO + +wireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1) + +=head1 NOTES + +B<Sshdump> is part of the B<Wireshark> distribution. The latest version +of B<Wireshark> can be found at L<https://www.wireshark.org>. + +HTML versions of the Wireshark project man pages are available at: +L<https://www.wireshark.org/docs/man-pages>. + +=head1 AUTHORS + + Original Author + -------- ------ + Dario Lombardo <lomato[AT]gmail.com> |