diff options
Diffstat (limited to 'doc/man_pages/sshdump.adoc')
-rw-r--r-- | doc/man_pages/sshdump.adoc | 313 |
1 files changed, 313 insertions, 0 deletions
diff --git a/doc/man_pages/sshdump.adoc b/doc/man_pages/sshdump.adoc new file mode 100644 index 00000000..562336c4 --- /dev/null +++ b/doc/man_pages/sshdump.adoc @@ -0,0 +1,313 @@ +include::../attributes.adoc[] += sshdump(1) +:doctype: manpage +:stylesheet: ws.css +:linkcss: +:copycss: {css_dir}/{stylesheet} + +== NAME + +sshdump - Provide interfaces to capture from a remote host through SSH using a remote capture binary. + +== SYNOPSIS + +[manarg] +*sshdump* +[ *--help* ] +[ *--version* ] +[ *--extcap-interfaces* ] +[ *--extcap-dlts* ] +[ *--extcap-interface*=<interface> ] +[ *--extcap-config* ] +[ *--extcap-capture-filter*=<capture filter> ] +[ *--capture* ] +[ *--fifo*=<path to file or pipe> ] +[ *--remote-host*=<IP address> ] +[ *--remote-port*=<TCP port> ] +[ *--remote-username*=<username> ] +[ *--remote-password*=<password> ] +[ *--sshkey*=<private key path> ] +[ *--sshkey-passphrase*=<private key passphrase> ] +[ *--proxycommand*=<SSH proxy command> ] +[ *--remote-interface*=<interface> ] +[ *--remote-capture-command-select*=<capture command selection> ] +[ *--remote-capture-command*=<capture command> ] +[ *--remote-priv*=<privilege elevation command selection> ] +[ *--remote-priv-user*=<privileged user name> ] +[ *--remote-noprom* ] +[ *--remote-filter*=<remote capture filter> ] +[ *--remote-count*=<number> ] + +[manarg] +*sshdump* +*--extcap-interfaces* + +[manarg] +*sshdump* +*--extcap-interface*=<interface> +*--extcap-dlts* + +[manarg] +*sshdump* +*--extcap-interface*=<interface> +*--extcap-config* + +[manarg] +*sshdump* +*--extcap-interface*=<interface> +*--fifo*=<path to file or pipe> +*--capture* +*--remote-host=myremotehost* +*--remote-port=22* +*--remote-username=user* +*--remote-interface=eth2* +*--remote-capture-command='tcpdump -U -i eth0 -w-'* + +== DESCRIPTION + +*Sshdump* is an extcap tool that allows one to run a remote capture +tool over a SSH connection. The requirement is that the capture +executable must have the capabilities to capture from the wanted +interface. + +The feature is functionally equivalent to run commands like + + $ ssh remoteuser@remotehost -p 22222 'tcpdump -U -i IFACE -w -' > FILE & + $ wireshark FILE + + $ ssh remoteuser@remotehost '/sbin/dumpcap -i IFACE -P -w - -f "not port 22"' > FILE & + $ wireshark FILE + + $ ssh somehost dumpcap -P -w - -f udp | tshark -i - + +Typically sshdump is not invoked directly. Instead it can be configured through +the Wireshark graphical user interface or its command line. The following will +start Wireshark and start capturing from host *remotehost*: + + $ wireshark '-oextcap.sshdump.remotehost:"remotehost"' -i sshdump -k + +To explicitly control the remote capture command: + + $ wireshark '-oextcap.sshdump.remotehost:"remotehost"' \ + '-oextcap.sshdump.remotecapturecommand:"tcpdump -i eth0 -Uw- not port 22"' \ + -i sshdump -k + +Supported interfaces: + +1. ssh + +== OPTIONS + +--help:: +Print program arguments. + +--version:: +Print program version. + +--extcap-interfaces:: +List available interfaces. + +--extcap-interface=<interface>:: +Use specified interfaces. + +--extcap-dlts:: +List DLTs of specified interface. + +--extcap-config:: +List configuration options of specified interface. + +--extcap-capture-filter=<capture filter>:: +The capture filter. It corresponds to the value provided via the *tshark -f* +option, and the Capture Filter field next to the interfaces list in the +Wireshark interface. + +--capture:: +Start capturing from specified interface and write raw packet data to the location specified by --fifo. + +--fifo=<path to file or pipe>:: +Save captured packet to file or send it through pipe. + +--remote-host=<remote host>:: +The address of the remote host for capture. + +--remote-port=<remote port>:: +The SSH port of the remote host. + +--remote-username=<username>:: +The username for SSH authentication. + +--remote-password=<password>:: +The password to use (if not ssh-agent and pubkey are used). WARNING: the +passwords are stored in plaintext and visible to all users on this system. It is +recommended to use keyfiles with a SSH agent. + +--sshkey=<SSH private key path>:: +The path to a private key for authentication. NOTE: Only OPENSSH key/value pair format is supported. + +--sshkey-passphrase=<SSH private key passphrase>:: +The passphrase for the private key for authentication. + +--proxycommand=<proxy command>:: +The command to use as proxy for the SSH connection. +--remote-interface=<remote interface>:: +The remote network interface to capture from. + +--remote-capture-command-select=<capture command-selection>:: ++ +-- +The selection of the build-in support for remote capture commands. Either *dumpcap* for a remote +capture command using dumpcap, *tcpdump* for a remote capture command using tcpdump, or *other*, +where the remote capture command is to be given with the *--remote-capture-command* option. + +Note that selecting dumpcap allows for specifying multiple capture interfaces as a whitespace +separated list, while tcpdump does not. +-- + +--remote-capture-command=<capture command>:: ++ +-- +A custom remote capture command that produces the remote stream that is shown in Wireshark. +The command must be able to produce a PCAP stream written to STDOUT. See below for more +examples. + +If using tcpdump, use the *-w-* option to ensure that packets are written to +standard output (stdout). Include the *-U* option to write packets as soon as +they are received. + +When specified, this command will be used as is, options such as the capture +filter (*--extcap-capture-filter*) will not be appended. +-- + +--remote-priv=<privilege elevation command selection>:: +The command to use to achieve privilege elevation to capture on the remote host. Either none, sudo or doas. + +--remote-priv-user=<privileged user name>:: +If a command is used to achieve privilege elevation to capture on the remote host this may require a user name. +If needed use this option to give that user name. + +--remote-filter=<capture filter>:: +The remote capture filter. It corresponds to the value provided via the *tshark -f* +option, and the Capture Filter field next to the interfaces list in the +Wireshark interface. + +--remote-count=<number>:: +The number of packets to capture. + +== EXAMPLES + +To see program arguments: + + sshdump --help + +To see program version: + + sshdump --version + +To see interfaces: + + sshdump --extcap-interfaces + +Only one interface (sshdump) is supported. + +.Example output + interface {value=sshdump}{display=SSH remote capture} + +To see interface DLTs: + + sshdump --extcap-interface=sshdump --extcap-dlts + +.Example output + dlt {number=147}{name=sshdump}{display=Remote capture dependent DLT} + +To see interface configuration options: + + sshdump --extcap-interface=sshdump --extcap-config + +.Example output + arg {number=0}{call=--remote-host}{display=Remote SSH server address}{type=string} + {tooltip=The remote SSH host. It can be both an IP address or a hostname}{required=true}{group=Server} + arg {number=1}{call=--remote-port}{display=Remote SSH server port}{type=unsigned}{default=22} + {tooltip=The remote SSH host port (1-65535)}{range=1,65535}{group=Server} + arg {number=2}{call=--remote-username}{display=Remote SSH server username}{type=string} + {tooltip=The remote SSH username. If not provided, the current user will be used}{group=Authentication} + arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=password} + {tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}{group=Authentication} + arg {number=4}{call=--sshkey}{display=Path to SSH private key}{type=fileselect} + {tooltip=The path on the local filesystem of the private SSH key (OpenSSH format)}{mustexist=true}{group=Authentication} + arg {number=5}{call=--sshkey-passphrase}{display=SSH key passphrase}{type=password} + {tooltip=Passphrase to unlock the SSH private key}{group=Authentication} + arg {number=6}{call=--proxycommand}{display=ProxyCommand}{type=string} + {tooltip=The command to use as proxy for the SSH connection}{group=Authentication} + arg {number=7}{call=--remote-interface}{display=Remote interface}{type=string} + {tooltip=The remote network interface used for capture}{group=Capture} + arg {number=8}{call=--remote-capture-command-select}{display=Remote capture command selection}{type=radio} + {tooltip=The remote capture command to build a command line for}{group=Capture} + value {arg=8}{value=dumpcap}{display=dumpcap} + value {arg=8}{value=tcpdump}{display=tcpdump}{default=true} + value {arg=8}{value=other}{display=Other:} + arg {number=9}{call=--remote-capture-command}{display=Remote capture command}{type=string} + {tooltip=The remote command used to capture}{group=Capture} + arg {number=10}{call=--remote-priv}{display=Gain capture privilege on the remote machine}{type=radio} + {tooltip=Optionally prepend the capture command with sudo or doas on the remote machine}{group=Capture} + value {arg=10}{value=none}{display=none}{default=true} + value {arg=10}{value=sudo}{display=sudo} + value {arg=10}{value=doas -n}{display=doas} + arg {number=11}{call=--remote-priv-user}{display=Privileged user name for sudo or doas}{type=string} + {tooltip=User name of privileged user to execute the capture command on the remote machine}{group=Capture} + arg {number=12}{call=--remote-noprom}{display=No promiscuous mode}{type=boolflag} + {tooltip=Don't use promiscuous mode on the remote machine}{group=Capture} + arg {number=13}{call=--remote-filter}{display=Remote capture filter}{type=string} + {tooltip=The remote capture filter}{default=not ((host myhost) and port 22)}{group=Capture} + arg {number=14}{call=--remote-count}{display=Packets to capture}{type=unsigned}{default=0} + {tooltip=The number of remote packets to capture. (Default: inf)}{group=Capture} + arg {number=15}{call=--log-level}{display=Set the log level}{type=selector} + {tooltip=Set the log level}{required=false}{group=Debug} + value {arg=14}{value=message}{display=Message}{default=true} + value {arg=14}{value=info}{display=Info} + value {arg=14}{value=debug}{display=Debug} + value {arg=14}{value=noisy}{display=Noisy} + arg {number=16}{call=--log-file}{display=Use a file for logging}{type=fileselect} + {tooltip=Set a file where log messages are written}{required=false}{group=Debug} + + +To capture: + + sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10 + --remote-username user --remote-filter "not port 22" + +To use different capture binaries: + + sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10 + --remote-username user --remote-priv sudo --remote-capture-command-select tcpdump + --remote-interface eth0 --remote-noprom + + sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10 + --remote-capture-command='dumpcap -i eth0 -P -w -' + + sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10 + --remote-capture-command='sudo tcpdump -i eth0 -U -w -' + +NOTE: To stop capturing CTRL+C/kill/terminate the application. + +The sshdump binary can be renamed to support multiple instances. For instance if we want sshdump +to show up twice in wireshark (for instance to handle multiple profiles), we can copy sshdump to +sshdump-host1 and sshdump-host2. Each binary will show up an interface name same as the executable +name. Those executables not being "sshdump" will show up as "custom version" in the interface description. + +== SEE ALSO + +xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:extcap.html[extcap](4), xref:https://www.tcpdump.org/manpages/tcpdump.1.html[tcpdump](1) + +== NOTES + +*Sshdump* is part of the *Wireshark* distribution. The latest version +of *Wireshark* can be found at https://www.wireshark.org. + +HTML versions of the Wireshark project man pages are available at +https://www.wireshark.org/docs/man-pages. + +== AUTHORS + +.Original Author +[%hardbreaks] +Dario Lombardo <lomato[AT]gmail.com> |