wireshark/doc/sshdump.pod

=begin man

=encoding utf8

=end man

=head1 NAME

sshdump - Provide interfaces to capture from a remote host through SSH using a remote capture binary.

=head1 SYNOPSIS

B<sshdump>
S<[ B<--help> ]>
S<[ B<--version> ]>
S<[ B<--extcap-interfaces> ]>
S<[ B<--extcap-dlts> ]>
S<[ B<--extcap-interface>=E<lt>interfaceE<gt> ]>
S<[ B<--extcap-config> ]>
S<[ B<--extcap-capture-filter>=E<lt>capture filterE<gt> ]>
S<[ B<--capture> ]>
S<[ B<--fifo>=E<lt>path to file or pipeE<gt> ]>
S<[ B<--remote-host>=E<lt>IP addressE<gt> ]>
S<[ B<--remote-port>=E<lt>TCP portE<gt> ]>
S<[ B<--remote-username>=E<lt>usernameE<gt> ]>
S<[ B<--remote-password>=E<lt>passwordE<gt> ]>
S<[ B<--sshkey>=E<lt>public key path<gt> ]>
S<[ B<--remote-interface>=E<lt>interfaceE<gt> ]>
S<[ B<--remote-capture-command>=E<lt>capture commandE<gt> ]>
S<[ B<--remote-sudo> ]>

B<sshdump>
S<B<--extcap-interfaces>>

B<sshdump>
S<B<--extcap-interface>=E<lt>interfaceE<gt>>
S<B<--extcap-dlts>>

B<sshdump>
S<B<--extcap-interface>=E<lt>interfaceE<gt>>
S<B<--extcap-config>>

B<sshdump>
S<B<--extcap-interface>=E<lt>interfaceE<gt>>
S<B<--fifo>=E<lt>path to file or pipeE<gt>>
S<B<--capture>>
S<B<--remote-host=myremotehost>>
S<B<--remote-port=22>>
S<B<--remote-username=user>>
S<B<--remote-interface=eth2>>
S<B<--remote-capture-command='tcpdump -U -i eth0 -w-'>>

=head1 DESCRIPTION

B<Sshdump> is an extcap tool that allows one to run a remote capture
tool over a SSH connection. The requirement is that the capture
executable must have the capabilities to capture from the wanted
interface.

The feature is functionally equivalent to run commands like

$ ssh remoteuser@remotehost -p 22222 'tcpdump -U -i IFACE -w -' > FILE &
$ wireshark FILE

$ ssh remoteuser@remotehost '/sbin/dumpcap -i IFACE -P -w - -f "not port 22"' > FILE &
$ wireshark FILE

$ ssh somehost dumpcap -P -w - -f udp | tshark -i -

Supported interfaces:

=over 4

=item 1. ssh

=back

=head1 OPTIONS

=over 4

=item --help

Print program arguments.

=item --version

Print program version.

=item --extcap-interfaces

List available interfaces.

=item --extcap-interface=E<lt>interfaceE<gt>

Use specified interfaces.

=item --extcap-dlts

List DLTs of specified interface.

=item --extcap-config

List configuration options of specified interface.

=item --capture

Start capturing from specified interface and write raw packet data to the location specified by --fifo.

=item --fifo=E<lt>path to file or pipeE<gt>

Save captured packet to file or send it through pipe.

=item --remote-host=E<lt>remote hostE<gt>

The address of the remote host for capture.

=item --remote-port=E<lt>remote portE<gt>

The SSH port of the remote host.

=item --remote-username=E<lt>usernameE<gt>

The username for ssh authentication.

=item --remote-password=E<lt>passwordE<gt>

The password to use (if not ssh-agent and pubkey are used). WARNING: the
passwords are stored in plaintext and visible to all users on this system. It is
recommended to use keyfiles with a SSH agent.

=item --sshkey=E<lt>SSH private key pathE<gt>

The path to a private key for authentication.

=item --remote-interface=E<lt>remote interfaceE<gt>

The remote network interface to capture from.

=item --remote-capture-command=E<lt>capture commandE<gt>

A custom remote capture command that produces the remote stream that is shown in Wireshark.
The command must be able to produce a PCAP stream written to STDOUT. See below for more
examples.

When specified, this command will be used as is, no interface, port or filter
options will be added.

=item --extcap-capture-filter=E<lt>capture filterE<gt>

The capture filter

=back

=head1 EXAMPLES

To see program arguments:

    sshdump --help

To see program version:

    sshdump --version

To see interfaces:

    sshdump --extcap-interfaces

Only one interface (sshdump) is supported.

  Output:
    interface {value=sshdump}{display=SSH remote capture}

To see interface DLTs:

    sshdump --extcap-interface=sshdump --extcap-dlts

  Output:
    dlt {number=147}{name=sshdump}{display=Remote capture dependent DLT}

To see interface configuration options:

    sshdump --extcap-interface=sshdump --extcap-config

  Output:

    arg {number=0}{call=--remote-host}{display=Remote SSH server address}{type=string}
        {tooltip=The remote SSH host. It can be both an IP address or a hostname}{required=true}{group=Server}
    arg {number=1}{call=--remote-port}{display=Remote SSH server port}{type=unsigned}
        {tooltip=The remote SSH host port (1-65535)}{range=1,65535}{group=Server}
    arg {number=2}{call=--remote-username}{display=Remote SSH server username}{type=string}
        {tooltip=The remote SSH username. If not provided, the current user will be used}{group=Authentication}
    arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=password}
        {tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}{group=Authentication}
    arg {number=4}{call=--sshkey}{display=Path to SSH private key}{type=fileselect}
        {tooltip=The path on the local filesystem of the private ssh key}{group=Authentication}
    arg {number=5}{call=--sshkey-passphrase}{display=SSH key passphrase}{type=password}
        {tooltip=Passphrase to unlock the SSH private key}{group=Authentication}
    arg {number=6}{call=--proxycommand}{display=ProxyCommand}{type=string}
        {tooltip=The command to use as proxy for the SSH connection}{group=Authentication}
    arg {number=7}{call=--remote-interface}{display=Remote interface}{type=string}
        {tooltip=The remote network interface used for capture}{group=Capture}
    arg {number=8}{call=--remote-capture-command}{display=Remote capture command}{type=string}
        {tooltip=The remote command used to capture}{group=Capture}
    arg {number=9}{call=--remote-sudo}{display=Use sudo on the remote machine}{type=boolean}
        {tooltip=Prepend the capture command with sudo on the remote machine}{group=Capture}
    arg {number=10}{call=--remote-noprom}{display=No promiscuous mode}{type=boolflag}
        {tooltip=Don't use promiscuous mode on the remote machine}{group=Capture}
    arg {number=11}{call=--remote-filter}{display=Remote capture filter}{type=string}
        {tooltip=The remote capture filter}{default=not ((host myhost) and port 22)}{group=Capture}
    arg {number=12}{call=--remote-count}{display=Packets to capture}{type=unsigned}{default=0}
        {tooltip=The number of remote packets to capture. (Default: inf)}{group=Capture}
    arg {number=13}{call=--debug}{display=Run in debug mode}{type=boolflag}{default=false}
        {tooltip=Print debug messages}{required=false}{group=Debug}
    arg {number=14}{call=--debug-file}{display=Use a file for debug}{type=string}
        {tooltip=Set a file where the debug messages are written}{required=false}{group=Debug}

To capture:

    sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
    --remote-username user --remote-filter "not port 22"

To use different capture binaries:

    sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
    --remote-capture-command='dumpcap -i eth0 -P -w -'

    sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
    --remote-capture-command='sudo tcpdump -i eth0 -U -w -'

NOTE: To stop capturing CTRL+C/kill/terminate application.

=head1 SEE ALSO

wireshark(1), tshark(1), dumpcap(1), extcap(4), tcpdump(1)

=head1 NOTES

B<Sshdump> is part of the B<Wireshark> distribution.  The latest version
of B<Wireshark> can be found at L<https://www.wireshark.org>.

HTML versions of the Wireshark project man pages are available at:
L<https://www.wireshark.org/docs/man-pages>.

=head1 AUTHORS

  Original Author
  -------- ------
  Dario Lombardo             <lomato[AT]gmail.com>