BashScripts.org
http://bashscripts.org/forum/

Remote tcpdump into local wireshark
http://bashscripts.org/forum/viewtopic.php?f=7&t=722
Page 1 of 1

Author:  tripkipke [ Tue Mar 31, 2009 3:35 pm ]
Post subject:  Remote tcpdump into local wireshark

Something I wrote at work to quickly start multiple tcpdumpsession on remote hosts and dump the output to wireshark sessions on my desktop.
It's badly commented, needs to be cleaned up and improved.
Depending on the speed of your pc and internet connection you may have to play a bit with the sleep value in the startsession function to prevent the script from
detecting the wrong pids of the ssh and wireshark sessions. These work for me on both my home and work pc. YMMV
Obviously I use this in combination with ssh-keys to prevent having to type passwords
Filters given after the -f flag are tcpdump filters (host 192.168.24.1 and proto ICMP etc.) and are valid for all hosts and interfaces provided.
The filters must be placed between quotes " "
If there is enough bandwidth I prefer not to use tcpdump filters and filter in wireshark, as you can place filters on each host and its interfaces

Feel free to improve :)

Author:  tripkipke [ Wed Jan 12, 2011 3:30 pm ]
Post subject:  Re: Remote tcpdump into local wireshark

Cleaned it up...

Code:
#!/bin/bash

## Default settings
# ssh version
SSHV="-2"
# port
PORT="22"
# be verbose?
VERBOSE=false

# Set known hosts to /dev/null and no strict hostkey checking
HOSTCHECK="-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"

## Usage ...
Usage() {
   cat << USAGE
usage: `basename "$0"` Look at the script...
less $(type wiredump | cut -d ' ' -f 3)
USAGE
exit 1
}

## If no arguments are given show Usage
[ "$#" = "0" ] && Usage

## if the verbose flag is set, echo date and string
Verbose() {
    STRING="[email protected]"
    PREFIX="[`date +"%D %H:%M:%S"`]: "
    ${VERBOSE} && echo ${PREFIX} ${STRING}
}
while getopts ":vp:f:12" options
do
    case $options in
        v)
        VERBOSE=true
        ;;
        p)
        PORT=${OPTARG}
        ;;
        f)
        FIL=${OPTARG}
        ;;
        1)
        SSHV="-1"
        ;;
        2)
        SSHV="-2"
        ;;
        *|?)
        Usage
        ;;
    esac
done

## Exclude the port we are connecting to
FILTER="! port ${PORT}"

## Add optional filters
[ -n "${FIL}" ] && FILTER="${FILTER} and '${FIL}'"
Verbose "The current tcpdump filter is: ${FILTER}"

## remove any arguments found so far
shift $((${OPTIND} - 1))

## Check for ip and interface and set the variables
[ -z $1 ] && echo "No IP address" || IP=$1
shift
[ -z $1 ] && echo "No interface" || IFACE=$1
shift
Verbose "Remote host: ${IP}\nRemote interface: ${IFACE}"

Exit() {
    clear
    exit
}

Cleanup() {
    ## kill the ssh session if needed
    if [ -n "${SSHPID}" ]; then
   pkill -0 -P "${SSHPID}"
   i=$?; [ "$i" == 0 ] && kill "${SSHPID}"
    fi

    ## Kill wireshark if needed
    if [ -n "${WSPID}" ]; then
   pkill -0 -P "${WSPID}"
   i=$?; [ "$i" == 0 ] && kill "${WSPID}"
    fi

    ## Remove our pipe
    if [ -e "${PIPE}" ] ; then
   rm -f "${PIPE}"
   Verbose "Pipe removed"
    fi
    Exit
}

## our trap (kill process group)
trap Cleanup INT TERM

## Set up the named pipe
PIPE="/tmp/${IP}_${IFACE}.${RANDOM}"
## Creating the named pipe
Verbose "Creating the named pipe"
mkfifo ${PIPE}
Verbose "Created pipe: ${PIPE}"

## The ssh command
SSHCMD="ssh ${SSHV} -p ${PORT} ${HOSTCHECK} -C -f -l root ${IP}"

## The tcpdump command
TCPDCMD="tcpdump -w - -s0 -nli ${IFACE} ${FILTER}"

## The full command
FCMD="$SSHCMD $TCPDCMD"

## Staring ssh session with remote tcpdump
Verbose "Starting the ssh session"
${FCMD} > "${PIPE}" &

## Starting wireshark
wireshark -k -i "${PIPE}" &
WSPID=$!
Verbose "Wireshark PID: ${WSPID}"

## Let it sleep a bit as ssh sometimes starts slow
sleep 2
SSHPID=$(pgrep -f "${FCMD}")
Verbose "Ssh PID: ${SSHPID}"

wait
Cleanup

Page 1 of 1 All times are UTC - 6 hours
© 2000, 2002, 2005, 2007 phpBB Group • http://www.phpbb.com