seguridad/2.- Ejercicios/reto_seguridad/capturas/WiresharkPortable64/App/Wireshark/sshdump.html

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="generator" content="Asciidoctor 2.0.17">
<title>sshdump(1)</title>
<link rel="stylesheet" href="./ws.css">
</head>
<body class="manpage">
<div id="header">
<h1>sshdump(1) Manual Page</h1>
<h2 id="_name">NAME</h2>
<div class="sectionbody">
<p>sshdump - Provide interfaces to capture from a remote host through SSH using a remote capture binary.</p>
</div>
</div>
<div id="content">
<div class="sect1">
<h2 id="_synopsis">SYNOPSIS</h2>
<div class="sectionbody">
<div class="paragraph">
<p><span class="nowrap"><strong>sshdump</strong></span>
<span class="nowrap">[ <strong>--help</strong> ]</span>
<span class="nowrap">[ <strong>--version</strong> ]</span>
<span class="nowrap">[ <strong>--extcap-interfaces</strong> ]</span>
<span class="nowrap">[ <strong>--extcap-dlts</strong> ]</span>
<span class="nowrap">[ <strong>--extcap-interface</strong>=&lt;interface&gt; ]</span>
<span class="nowrap">[ <strong>--extcap-config</strong> ]</span>
<span class="nowrap">[ <strong>--extcap-capture-filter</strong>=&lt;capture filter&gt; ]</span>
<span class="nowrap">[ <strong>--capture</strong> ]</span>
<span class="nowrap">[ <strong>--fifo</strong>=&lt;path to file or pipe&gt; ]</span>
<span class="nowrap">[ <strong>--remote-host</strong>=&lt;IP address&gt; ]</span>
<span class="nowrap">[ <strong>--remote-port</strong>=&lt;TCP port&gt; ]</span>
<span class="nowrap">[ <strong>--remote-username</strong>=&lt;username&gt; ]</span>
<span class="nowrap">[ <strong>--remote-password</strong>=&lt;password&gt; ]</span>
<span class="nowrap">[ <strong>--sshkey</strong>=&lt;public key path&gt; ]</span>
<span class="nowrap">[ <strong>--remote-interface</strong>=&lt;interface&gt; ]</span>
<span class="nowrap">[ <strong>--remote-capture-command-select</strong>=&lt;capture command selection&gt; ]</span>
<span class="nowrap">[ <strong>--remote-capture-command</strong>=&lt;capture command&gt; ]</span>
<span class="nowrap">[ <strong>--remote-sudo</strong> ]</span></p>
</div>
<div class="paragraph">
<p><span class="nowrap"><strong>sshdump</strong></span>
<span class="nowrap"><strong>--extcap-interfaces</strong></span></p>
</div>
<div class="paragraph">
<p><span class="nowrap"><strong>sshdump</strong></span>
<span class="nowrap"><strong>--extcap-interface</strong>=&lt;interface&gt;</span>
<span class="nowrap"><strong>--extcap-dlts</strong></span></p>
</div>
<div class="paragraph">
<p><span class="nowrap"><strong>sshdump</strong></span>
<span class="nowrap"><strong>--extcap-interface</strong>=&lt;interface&gt;</span>
<span class="nowrap"><strong>--extcap-config</strong></span></p>
</div>
<div class="paragraph">
<p><span class="nowrap"><strong>sshdump</strong></span>
<span class="nowrap"><strong>--extcap-interface</strong>=&lt;interface&gt;</span>
<span class="nowrap"><strong>--fifo</strong>=&lt;path to file or pipe&gt;</span>
<span class="nowrap"><strong>--capture</strong></span>
<span class="nowrap"><strong>--remote-host=myremotehost</strong></span>
<span class="nowrap"><strong>--remote-port=22</strong></span>
<span class="nowrap"><strong>--remote-username=user</strong></span>
<span class="nowrap"><strong>--remote-interface=eth2</strong></span>
<span class="nowrap"><strong>--remote-capture-command='tcpdump -U -i eth0 -w-'</strong></span></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_description">DESCRIPTION</h2>
<div class="sectionbody">
<div class="paragraph">
<p><strong>Sshdump</strong> is an extcap tool that allows one to run a remote capture
tool over a SSH connection. The requirement is that the capture
executable must have the capabilities to capture from the wanted
interface.</p>
</div>
<div class="paragraph">
<p>The feature is functionally equivalent to run commands like</p>
</div>
<div class="literalblock">
<div class="content">
<pre>$ ssh remoteuser@remotehost -p 22222 'tcpdump -U -i IFACE -w -' &gt; FILE &amp;
$ wireshark FILE</pre>
</div>
</div>
<div class="literalblock">
<div class="content">
<pre>$ ssh remoteuser@remotehost '/sbin/dumpcap -i IFACE -P -w - -f "not port 22"' &gt; FILE &amp;
$ wireshark FILE</pre>
</div>
</div>
<div class="literalblock">
<div class="content">
<pre>$ ssh somehost dumpcap -P -w - -f udp | tshark -i -</pre>
</div>
</div>
<div class="paragraph">
<p>Typically sshdump is not invoked directly. Instead it can be configured through
the Wireshark graphical user interface or its command line. The following will
start Wireshark and start capturing from host <strong>remotehost</strong>:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>$ wireshark '-oextcap.sshdump.remotehost:"remotehost"' -i sshdump -k</pre>
</div>
</div>
<div class="paragraph">
<p>To explicitly control the remote capture command:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>$ wireshark '-oextcap.sshdump.remotehost:"remotehost"' \
            '-oextcap.sshdump.remotecapturecommand:"tcpdump -i eth0 -Uw- not port 22"' \
            -i sshdump -k</pre>
</div>
</div>
<div class="paragraph">
<p>Supported interfaces:</p>
</div>
<div class="olist arabic">
<ol class="arabic">
<li>
<p>ssh</p>
</li>
</ol>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_options">OPTIONS</h2>
<div class="sectionbody">
<div class="dlist">
<dl>
<dt class="hdlist1">--help</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Print program arguments.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--version</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Print program version.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--extcap-interfaces</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>List available interfaces.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--extcap-interface=&lt;interface&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Use specified interfaces.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--extcap-dlts</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>List DLTs of specified interface.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--extcap-config</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>List configuration options of specified interface.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--capture</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Start capturing from specified interface and write raw packet data to the location specified by --fifo.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--fifo=&lt;path to file or pipe&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Save captured packet to file or send it through pipe.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--remote-host=&lt;remote host&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The address of the remote host for capture.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--remote-port=&lt;remote port&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The SSH port of the remote host.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--remote-username=&lt;username&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The username for SSH authentication.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--remote-password=&lt;password&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The password to use (if not ssh-agent and pubkey are used). WARNING: the
passwords are stored in plaintext and visible to all users on this system. It is
recommended to use keyfiles with a SSH agent.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--sshkey=&lt;SSH private key path&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The path to a private key for authentication. NOTE: Only OPENSSH key/value pair format is supported.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--remote-interface=&lt;remote interface&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The remote network interface to capture from.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--remote-capture-command-select=&lt;capture command-selection&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The selection of the build-in support for remote capture commands. Either <strong>dumpcap</strong> for a remote
capture command using dumpcap, <strong>tcpdump</strong> for a remote capture command using tcpdump, or <strong>other</strong>,
where the remote capture command is to be given with the <strong>--remote-capture-command</strong> option.</p>
</div>
<div class="paragraph">
<p>Note that selecting dumpcap allows for specifying multiple capture interfaces as a whitespace
seperated list, while tcpdump does not.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--remote-capture-command=&lt;capture command&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>A custom remote capture command that produces the remote stream that is shown in Wireshark.
The command must be able to produce a PCAP stream written to STDOUT. See below for more
examples.</p>
</div>
<div class="paragraph">
<p>If using tcpdump, use the <strong>-w-</strong> option to ensure that packets are written to
standard output (stdout). Include the <strong>-U</strong> option to write packets as soon as
they are received.</p>
</div>
<div class="paragraph">
<p>When specified, this command will be used as is, options such as the capture
filter (<strong>--extcap-capture-filter</strong>) will not be appended.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--extcap-capture-filter=&lt;capture filter&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>The capture filter. It corresponds to the value provided via the <strong>tshark -f</strong>
option, and the Capture Filter field next to the interfaces list in the
Wireshark interface.</p>
</div>
</div>
</div>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_examples">EXAMPLES</h2>
<div class="sectionbody">
<div class="paragraph">
<p>To see program arguments:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>sshdump --help</pre>
</div>
</div>
<div class="paragraph">
<p>To see program version:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>sshdump --version</pre>
</div>
</div>
<div class="paragraph">
<p>To see interfaces:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>sshdump --extcap-interfaces</pre>
</div>
</div>
<div class="paragraph">
<p>Only one interface (sshdump) is supported.</p>
</div>
<div class="literalblock">
<div class="title">Example output</div>
<div class="content">
<pre>interface {value=sshdump}{display=SSH remote capture}</pre>
</div>
</div>
<div class="paragraph">
<p>To see interface DLTs:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>sshdump --extcap-interface=sshdump --extcap-dlts</pre>
</div>
</div>
<div class="literalblock">
<div class="title">Example output</div>
<div class="content">
<pre>dlt {number=147}{name=sshdump}{display=Remote capture dependent DLT}</pre>
</div>
</div>
<div class="paragraph">
<p>To see interface configuration options:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>sshdump --extcap-interface=sshdump --extcap-config</pre>
</div>
</div>
<div class="literalblock">
<div class="title">Example output</div>
<div class="content">
<pre>arg {number=0}{call=--remote-host}{display=Remote SSH server address}{type=string}
    {tooltip=The remote SSH host. It can be both an IP address or a hostname}{required=true}{group=Server}
arg {number=1}{call=--remote-port}{display=Remote SSH server port}{type=unsigned}
    {tooltip=The remote SSH host port (1-65535)}{range=1,65535}{group=Server}
arg {number=2}{call=--remote-username}{display=Remote SSH server username}{type=string}
    {tooltip=The remote SSH username. If not provided, the current user will be used}{group=Authentication}
arg {number=3}{call=--remote-password}{display=Remote SSH server password}{type=password}
    {tooltip=The SSH password, used when other methods (SSH agent or key files) are unavailable.}{group=Authentication}
arg {number=4}{call=--sshkey}{display=Path to SSH private key}{type=fileselect}
    {tooltip=The path on the local filesystem of the private SSH key (OpenSSH format)}{mustexist=true}{group=Authentication}
arg {number=5}{call=--sshkey-passphrase}{display=SSH key passphrase}{type=password}
    {tooltip=Passphrase to unlock the SSH private key}{group=Authentication}
arg {number=6}{call=--proxycommand}{display=ProxyCommand}{type=string}
    {tooltip=The command to use as proxy for the SSH connection}{group=Authentication}
arg {number=7}{call=--remote-interface}{display=Remote interface}{type=string}
    {tooltip=The remote network interface used for capture}{group=Capture}
arg {number=8}{call=--remote-capture-command-select}{display=Remote capture command selection}{type=radio}
    {tooltip=The remote capture command to build a command line for}{group=Capture}
    value {arg=8}{value=dumpcap}{display=dumpcap}
    value {arg=8}{value=tcpdump}{display=tcpdump}{default=true}
    value {arg=8}{value=other}{display=Other:}
arg {number=9}{call=--remote-capture-command}{display=Remote capture command}{type=string}
    {tooltip=The remote command used to capture}{group=Capture}
arg {number=10}{call=--remote-sudo}{display=Use sudo on the remote machine}{type=boolflag}
    {tooltip=Prepend the capture command with sudo on the remote machine}{group=Capture}
arg {number=11}{call=--remote-noprom}{display=No promiscuous mode}{type=boolflag}
    {tooltip=Don't use promiscuous mode on the remote machine}{group=Capture}
arg {number=12}{call=--remote-filter}{display=Remote capture filter}{type=string}
    {tooltip=The remote capture filter}{default=not ((host myhost) and port 22)}{group=Capture}
arg {number=13}{call=--remote-count}{display=Packets to capture}{type=unsigned}{default=0}
    {tooltip=The number of remote packets to capture. (Default: inf)}{group=Capture}
arg {number=14}{call=--log-level}{display=Set the log level}{type=selector}
    {tooltip=Set the log level}{required=false}{group=Debug}
    value {arg=14}{value=message}{display=Message}{default=true}
    value {arg=14}{value=info}{display=Info}
    value {arg=14}{value=debug}{display=Debug}
    value {arg=14}{value=noisy}{display=Noisy}
arg {number=15}{call=--log-file}{display=Use a file for logging}{type=fileselect}
    {tooltip=Set a file where log messages are written}{required=false}{group=Debug}</pre>
</div>
</div>
<div class="paragraph">
<p>To capture:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
--remote-username user --remote-filter "not port 22"</pre>
</div>
</div>
<div class="paragraph">
<p>To use different capture binaries:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
--remote-capture-command='dumpcap -i eth0 -P -w -'</pre>
</div>
</div>
<div class="literalblock">
<div class="content">
<pre>sshdump --extcap-interface=sshdump --fifo=/tmp/ssh.pcap --capture --remote-host 192.168.1.10
--remote-capture-command='sudo tcpdump -i eth0 -U -w -'</pre>
</div>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
To stop capturing CTRL+C/kill/terminate the application.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>The sshdump binary can be renamed to support multiple instances. For instance if we want sshdump
to show up twice in wireshark (for instance to handle multiple profiles), we can copy sshdump to
sshdump-host1 and sshdump-host2. Each binary will show up an interface name same as the executable
name. Those executables not being "sshdump" will show up as "custom version" in the interface description.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_see_also">SEE ALSO</h2>
<div class="sectionbody">
<div class="paragraph">
<p><a href="wireshark.html">wireshark</a>(1), <a href="tshark.html">tshark</a>(1), <a href="dumpcap.html">dumpcap</a>(1), <a href="extcap.html">extcap</a>(4), <a href="https://www.tcpdump.org/manpages/tcpdump.1.html">tcpdump</a>(1)</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_notes">NOTES</h2>
<div class="sectionbody">
<div class="paragraph">
<p><strong>Sshdump</strong> is part of the <strong>Wireshark</strong> distribution.  The latest version
of <strong>Wireshark</strong> can be found at <a href="https://www.wireshark.org" class="bare">https://www.wireshark.org</a>.</p>
</div>
<div class="paragraph">
<p>HTML versions of the Wireshark project man pages are available at
<a href="https://www.wireshark.org/docs/man-pages" class="bare">https://www.wireshark.org/docs/man-pages</a>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_authors">AUTHORS</h2>
<div class="sectionbody">
<div class="paragraph">
<div class="title">Original Author</div>
<p>Dario Lombardo &lt;lomato[AT]gmail.com&gt;</p>
</div>
</div>
</div>
</div>
</body>
</html>